- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Event Time is less then 10 min old
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I'm a splunk newbie, be gentle please.
I'm try to monitoring my VPNs status with splunk, unfortunately my firewall does not log vpn up or down.
So I made a powershell script that makes every 4 minutes a set of pings to an IP on the destination site of each VPN.
Each ping gets exported to a csv file, automatically renamed with timestamp to a new source file name from each vpn.
My search string is:
index=ping | eval Procent=if(like(_raw, "%100%" ), "DOWN" , "UP") | table _time , VPN , Procent , SyncOff | sort VPN , -_time | dedup VPN
Procent stands for set of pings that are 100% lost.
Works perfectly so far.
But I wanted to have the "SyncOff" field to tell me if one of the VPN's hasn't been pinged in the last 10min, due to a powershell script malfunction or whatever.
So in short, if _time is less then 10min, set field Syncoff to "Out of Sync".
Can anybody help me with this, please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, by default, splunk returns the most recent record first, so your sort, while correct, is redundant. Also, sort has an implicit limit on the number of records it returns, so get in the habit of coding it | sort 0 so it doesn't drop any records that are over the limit.
You only need the most recent record for each VPN, so you can run dedup right out of the box. The only non internal field you are using is VPN, so you can use the fields command as soon as possible to get rid of everything else. (Internal fields like _time and _raw will stick around until the table command.)
index=ping
| fields VPN
| dedup VPN
| eval Procent=if(like(_raw, "%100%" ), "DOWN" , "UP")
| table _time, VPN, Procent, SyncOff
Second, epoch time is in seconds, so the epoch time for "ten minutes before the search began" is now() - 600, and the number of seconds before the search began that an event occurred is calculated as now() - _time.
| eval SyncOff=if(now() - _time > 600, "Out of Sync", "In Sync")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, by default, splunk returns the most recent record first, so your sort, while correct, is redundant. Also, sort has an implicit limit on the number of records it returns, so get in the habit of coding it | sort 0 so it doesn't drop any records that are over the limit.
You only need the most recent record for each VPN, so you can run dedup right out of the box. The only non internal field you are using is VPN, so you can use the fields command as soon as possible to get rid of everything else. (Internal fields like _time and _raw will stick around until the table command.)
index=ping
| fields VPN
| dedup VPN
| eval Procent=if(like(_raw, "%100%" ), "DOWN" , "UP")
| table _time, VPN, Procent, SyncOff
Second, epoch time is in seconds, so the epoch time for "ten minutes before the search began" is now() - 600, and the number of seconds before the search began that an event occurred is calculated as now() - _time.
| eval SyncOff=if(now() - _time > 600, "Out of Sync", "In Sync")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, exactly what I wanted. Works like a charm.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think relative_time is what your looking for
This will give you epoch time of 10 minute ago relative to now. Then if you want to test against this time, just add the extra conditional logic
| eval ten_min_ago=relative_time(now(), "-10m@m")
| eval test_the_script=if('Last_Script_Run'>'ten_min_ago',"He's dead Jim","Success")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@skoelpin - This works, but with comparing epoch time fields against a constant time difference, you can just use the number of seconds as a shortcut. Your method is absolutely what would be needed if the time being checked was "one month" or "one quarter" or "one year", which are not fixed numbers of seconds.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah agreed, I like your solution better
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
