Hi Splunkers,
We are looking to join 2 searches in getting a single point result.
Currently we have a search which gives UP and Down status. When a server is UP, it turns to green, and if down, it turns RED. Below is the search.
This search takes the latest event and gives us the result (Up/Down) based on status. If we don't have any latest event, by default it is UP.
index=f5 server1 monitor status fillnull value="up" F5_TCPStatus | eval status=if(F5_MonitorStatus="monitor status up" OR F5_MonitorStatus="monitor status enabled" ,10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] | stats values(status) AS severity| rangemap field=severity severe=0-9 low=10-11 default=elevated
Now current scenario is, we have 2 more statuses added up to field "MonitorStatus"
1. Monitor Status Enabled
2. Monitor Status Disabled.
These statuses occur when server administrators disable any server during a maintenance window.
Scenario 1: If we will filter head 1 events with status "up" and head 1 events with status "Disable", then we need to turn the symbol to RED.
This gives us UP/down status for head 1 event:
index=f5 server1 monitor status fillnull value="up" F5_TCPStatus | eval status=if(F5_MonitorStatus="monitor status up" ,10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] | stats values(status) AS severity| rangemap field=severity severe=0-9 low=10-11 default=elevated
This gives head 1 event of Enable/Disable status:
index=f5 server1 monitor status disabled fillnull value="enabled" F5_TCPStatus | eval status=if(F5_MonitorStatus="monitor status enabled" ,10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] | stats values(status) AS severity| rangemap field=severity severe=0-9 low=10-11 default=elevated
We need to combine these 2 searches such that it needs to check both search events and it should satisfy below conditions to be GREEN OR RED
COlor: Status1 status 2
Green UP ENABLE
RED UP Disable
RED DOWN ENABLE
RED DOWN DISABLE
↧
How to join my two searches to monitor a combination of two status fields for a rangemap condition?
↧