Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use subsearch to only return server events ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lennys26
Communicator
10-21-2015
05:51 AM
I have a search that returns server events and would like to know when this event is NOT followed by a recovery message within a short period of time.
In my example below, the event is triggered and it recovers 5 seconds later. In this case, I would NOT want this to return results.
Oct 21 06:40:13 cam-vm-mon3 mfsmount[3425]: master: connection lost (1)
Oct 21 06:40:18 cam-vm-mon3 mfsmount[3425]: registered to master
To give my question better context, I am actually running this in an old Splunk 4.3 install and am configuring this as an alert, so these are alert criteria more than search criteria
I have been playing with append and appendpipes but am not having any luck. Can anyone offer any suggestions?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
10-22-2015
07:56 AM
Like this (with a base search that limits to only 2 types of events):
... | eval type=case(searchmatch("master: connection lost"), "down", searchmatch("registered to master"), "up", true(), "BUG!") | reverse | streamstats count(eval(type="down")) AS sessionID by host | eventstats latest(_time) AS latestTime latest(type) AS latestType by sessionID host | where type="down" | eval downSeconds=if(latestType="down", now(), latestTime) - _time | where downSeconds > 5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
10-22-2015
07:56 AM
Like this (with a base search that limits to only 2 types of events):
... | eval type=case(searchmatch("master: connection lost"), "down", searchmatch("registered to master"), "up", true(), "BUG!") | reverse | streamstats count(eval(type="down")) AS sessionID by host | eventstats latest(_time) AS latestTime latest(type) AS latestType by sessionID host | where type="down" | eval downSeconds=if(latestType="down", now(), latestTime) - _time | where downSeconds > 5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lennys26
Communicator
10-22-2015
03:37 AM
Additional thoughts on paths forward.
- Search for "master". Eval/search for "registered". Where this returns NULL, return details from Master search (or return something!), else, return NULL.
OR
- In the past I have played (unsuccessfully) with the idea of simply using a counter to....say.... run a search for "master" and a sub-search for "registered". For each event matching "master" add 1 (to x), for each "registered" subtract 1. Then where x>0, do something
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
