Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using Stats and Eval (and adding timestamps)

asarolkar
Builder
‎09-27-2012 04:06 PM

I am monitoring myserver logs file created by BEA using a universal forwarder on the BEA instance.

I want to create an alert that log indicates a failure to connect to CISCO.

The search string in my alert looks like this. 

sourcetype="myserver" | search "Could not open connection with host: cisco1.cisco.net and port: 101" | stats count as connectionFailure  WHERE connectionFailure>0 | eval hourTimeStamp= date_hour.":".date_minute.":".date_second | fields hourTimeStamp,connectionFailure

Note that date_hour, date_minute and date_second are all populated.

However this search does not seem to be working and i reckon its because I am not using eval and stats in the right manner

Any suggestions on how to better this ?

The goal of the Alert is to do two things


i) Run this search every 5 minutes so that connectionFailures are detected (count how many)


ii) TimeStamp the event.





If I get the search, I can set the alert myself.

0 Karma
Reply

melting
Splunk Employee
Splunk Employee
‎09-27-2012 04:19 PM

It looks like you are trying to use eval for concatentation, that would look like:

... | eval hourTimeStamp= date_hour + ":" + date_minute + ":" +date_second |
Reply

lguinn2
Legend
‎09-27-2012 04:12 PM

It is unclear what you need the timestamp for... Splunk knows the time period of the search and you do not need to create a timestamp. But I included a field that contains the time that the search started minus 5 minutes.

sourcetype="myserver"  "Could not open connection with host: cisco1.cisco.net and port: 101" 
| stats count as connectionFailure
| eval searchStartTime=relative_time(now(),"-5m")
| fieldFormat searchStart = strftime(searchStartTime,"$H:$M:$S")
Reply

lguinn2
Legend
‎09-27-2012 09:34 PM

Sorry - melting saw my error... my typing really stunk on that one...

0 Karma
Reply

melting
Splunk Employee
Splunk Employee
‎09-27-2012 04:59 PM

We are close, it is :

eval searchStartTime=relative_time(now(), "-5m")

other eval commandes:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

0 Karma
Reply

asarolkar
Builder
‎09-27-2012 04:24 PM

| eval searchStartTime=relativetime(now,"-5,")

are you sure this is allowed ? Splunk says it does not know of a relativetime() method

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...