Splunk Search

Event Time is less then 10 min old

christopheducha
Explorer

Hello
I'm a splunk newbie, be gentle please.

I'm try to monitoring my VPNs status with splunk, unfortunately my firewall does not log vpn up or down.
So I made a powershell script that makes every 4 minutes a set of pings to an IP on the destination site of each VPN.
Each ping gets exported to a csv file, automatically renamed with timestamp to a new source file name from each vpn.

My search string is:
index=ping | eval Procent=if(like(_raw, "%100%" ), "DOWN" , "UP") | table _time , VPN , Procent , SyncOff | sort VPN , -_time | dedup VPN

Procent stands for set of pings that are 100% lost.
Works perfectly so far.

But I wanted to have the "SyncOff" field to tell me if one of the VPN's hasn't been pinged in the last 10min, due to a powershell script malfunction or whatever.

So in short, if _time is less then 10min, set field Syncoff to "Out of Sync".

Can anybody help me with this, please?

Tags (1)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

First, by default, splunk returns the most recent record first, so your sort, while correct, is redundant. Also, sort has an implicit limit on the number of records it returns, so get in the habit of coding it | sort 0 so it doesn't drop any records that are over the limit.

You only need the most recent record for each VPN, so you can run dedup right out of the box. The only non internal field you are using is VPN, so you can use the fields command as soon as possible to get rid of everything else. (Internal fields like _time and _raw will stick around until the table command.)

index=ping
| fields VPN
| dedup VPN
| eval Procent=if(like(_raw, "%100%" ), "DOWN" , "UP")
| table _time, VPN, Procent, SyncOff

Second, epoch time is in seconds, so the epoch time for "ten minutes before the search began" is now() - 600, and the number of seconds before the search began that an event occurred is calculated as now() - _time.

| eval SyncOff=if(now() - _time > 600, "Out of Sync", "In Sync")

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

First, by default, splunk returns the most recent record first, so your sort, while correct, is redundant. Also, sort has an implicit limit on the number of records it returns, so get in the habit of coding it | sort 0 so it doesn't drop any records that are over the limit.

You only need the most recent record for each VPN, so you can run dedup right out of the box. The only non internal field you are using is VPN, so you can use the fields command as soon as possible to get rid of everything else. (Internal fields like _time and _raw will stick around until the table command.)

index=ping
| fields VPN
| dedup VPN
| eval Procent=if(like(_raw, "%100%" ), "DOWN" , "UP")
| table _time, VPN, Procent, SyncOff

Second, epoch time is in seconds, so the epoch time for "ten minutes before the search began" is now() - 600, and the number of seconds before the search began that an event occurred is calculated as now() - _time.

| eval SyncOff=if(now() - _time > 600, "Out of Sync", "In Sync")
0 Karma

christopheducha
Explorer

Thanks, exactly what I wanted. Works like a charm.

skoelpin
SplunkTrust
SplunkTrust

I think relative_time is what your looking for

This will give you epoch time of 10 minute ago relative to now. Then if you want to test against this time, just add the extra conditional logic

| eval ten_min_ago=relative_time(now(), "-10m@m")
| eval test_the_script=if('Last_Script_Run'>'ten_min_ago',"He's dead Jim","Success")

https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/DateandTimeFunctions#relative_tim...

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@skoelpin - This works, but with comparing epoch time fields against a constant time difference, you can just use the number of seconds as a shortcut. Your method is absolutely what would be needed if the time being checked was "one month" or "one quarter" or "one year", which are not fixed numbers of seconds.

skoelpin
SplunkTrust
SplunkTrust

Yeah agreed, I like your solution better

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...