I am monitoring myserver logs file created by BEA using a universal forwarder on the BEA instance.
I want to create an alert that log indicates a failure to connect to CISCO.
The search string in my alert looks like this.
sourcetype="myserver" | search "Could not open connection with host: cisco1.cisco.net and port: 101" | stats count as connectionFailure WHERE connectionFailure>0 | eval hourTimeStamp= date_hour.":".date_minute.":".date_second | fields hourTimeStamp,connectionFailure
Note that date_hour, date_minute and date_second are all populated.
However this search does not seem to be working and i reckon its because I am not using eval and stats in the right manner
Any suggestions on how to better this ?
The goal of the Alert is to do two things
i) Run this search every 5 minutes so that connectionFailures are detected (count how many)
ii) TimeStamp the event.
If I get the search, I can set the alert myself.
It looks like you are trying to use eval for concatentation, that would look like:
... | eval hourTimeStamp= date_hour + ":" + date_minute + ":" +date_second |
It is unclear what you need the timestamp for... Splunk knows the time period of the search and you do not need to create a timestamp. But I included a field that contains the time that the search started minus 5 minutes.
sourcetype="myserver" "Could not open connection with host: cisco1.cisco.net and port: 101"
| stats count as connectionFailure
| eval searchStartTime=relative_time(now(),"-5m")
| fieldFormat searchStart = strftime(searchStartTime,"$H:$M:$S")
Sorry - melting saw my error... my typing really stunk on that one...
We are close, it is :
eval searchStartTime=relative_time(now(), "-5m")
other eval commandes:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
| eval searchStartTime=relativetime(now,"-5,")
are you sure this is allowed ? Splunk says it does not know of a relativetime() method