Splunk Search

How to set up a conditional search on my application logs to find whether the last start message was recent?

mani2004_maddy
New Member

I need help on setting up the conditional search on my application logs for stop (Application Stopped) & start (Application Started) messages. It does appends whenever we recycle the application. How to find whether the last start message was recent?

0 Karma

sjohnson_splunk
Splunk Employee
Splunk Employee

You need to define what recent means as your time range means everything in splunk.

If you need an alert, write the search that finds what you are looking for, then save it as a scheduled search. You must then specify the time period you consider recent and how often you want to run the search.

You might consider running the search 1x per day (8 am or whenever) and then look back over the last 24 hours (-24h) until now.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Could you provide more details on what you're looking for, backed by log samples and expected output? If you want to capture the latest/recent of any type of event, you might be able to use | stats latest(...type of syntax, but I can't say for sure unless I see more details...

0 Karma

mani2004_maddy
New Member
index="prod" sourcetype="applogt" "AppClusterMember stopped" |convert ctime(_time) as StoTime timeformat=%H:%M |convert ctime(_time) as Date timeformat=%x|stats values(StoTime) as StopTime by Date,host|stats list(host) as Host, list(StopTime) as StopTimee by Date|sort -Date|appendcols[search index="prod" sourcetype="applogt" "AppClusterMember started" |convert ctime(_time) as StaTime timeformat=%H:%M |convert ctime(_time) as Date timeformat=%x|stats values(StaTime) as StartTime by Date,host|stats list(host) as Host,list(StartTime) as StartTimee by Date|sort -Date] 

This is my search where i'm not getting the sorted output if application was stopped & started twice or more in a day. I'm getting the below output.

Date    Host                  StopTime               StartTime
1/4/2017 Node1             1:23                         1:30
                 Node2             1:30                          1:42
                 Node3              1:45                         1:52
                 Node4              1:53                          2:04
                                            1:42                          1:45
                                            1:48                           1:55
                                            1:52                            1:59
                                            2:04                            2:12
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...