Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Custom Condition in Alert Assistance

xxhavok1xx
Explorer
‎06-11-2013 11:16 AM

Hi, every night my server team brings down specific groups of servers and performs maintenance on them. Sometime later that night the servers will be brought back up and I will see the respective interface change in my syslogs.

I created a real-time search that will alert me every time an interface is brought down and then back up. Is it possible, perhaps using the Custom condition search, to notify me if an interface is not brought back up after X amount of hours?

Although rare, the server team on occasion forgets to bring a server back up and my team ends up troubleshooting the problem the next morning. It would be ideal if I was told that was brought down never came back up after say 4-5 hours.

I currently have two separate real-time searches, one looking for the interface state change to down and the other to up - perhaps I can do all this with a single search?

Any thoughts?
Thanks!

Tags (3)
0 Karma
Reply

lguinn2
Legend
‎06-16-2013 11:36 PM

Here is my example - it's pretty limited as you can see, because I don't know much about your environment. I am assuming that you have the following

  • a field named interfaceID that uniquely identifies the interface

  • a field named interfaceStatus that captures the state of the interface - up or down

    interfaceStatus=up OR interfaceStatus=down earliest=-8h
    | stats latest(interfaceStatus) as currentStatus latest(_time) as timeOfStatus by interfaceID
    | where currentStatus="down" AND timeOfStatus < relative_time(now(), "-4h")
    | fieldFormat timeOfStatus=strftime(timeOfStatus,"%x %X")

Set this search to run once per hour, and to alert you if the number of results > 0.

0 Karma
Reply

lguinn2
Legend
‎06-16-2013 11:16 PM

I think this would be relatively easy to do as a single search - and it probably doesn't need to be a real-time search, either. However, I don't really have enough info to show an example search - perhaps you could show the two searches? Anonymized as necessary.

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...