Alerting

Missing forwarders alert format

reedmohn
Communicator

I've set up alerting for missing forwarders in Deployment Monitor.
Works fine, but I've noticed that the "Last connected" field is not formatted, I just get the raw seconds value, in the e-mail alert (results are sent inline).

Anyone know why that happens?
The search query includes a "fieldformat .... =strftime(.." operation which works fine in the web interface.

0 Karma
1 Solution

araitz
Splunk Employee
Splunk Employee

The fieldformat command is used to make the field in question appear in Splunk Web as a proper human readable time but still be sortable as epoch time. I'm afraid there isn't a simple workaround other than to adjust your alerting search to use the strftime option in eval.

View solution in original post

jonahcofer
Engager

Just stumbled upon this, you may have already got this working. When you add the convert ctime() AS timestamp after your timeformat the conversion will be applied to your email alert.

Here's what I have.

`all_forwarders` | search status="missing" | sort - lastConnected | fields sourceHost sourceIp connectionType os lastConnected status | rename sourceHost AS "Forwarder" sourceIp AS "Source IP" connectionType AS "Forwarder Type" os AS "OS" lastConnected AS "Last Connected" status AS "Current Status" | convert timeformat="%b %d, %Y %I:%m %p" ctime("Last Connected") | convert ctime(lastConnected) AS timestamp

P.S. Make sure timestamp is all lowercase or it will show up in your result columns. 🙂

0 Karma

sloshburch
Splunk Employee
Splunk Employee

See the all_fowarders.xml file and you'll find the search query to pipe the saved search into such that you can have it pretty formatted. Remember to use the proper time ranges and replace the single quotes with ticks.

'all_forwarders' | eval KB = round(KB, 4) | eval eps = round(eps, 4) | fields sourceHost destPort connectionType version os lastConnected lastReceived status KB eps | rename sourceHost as Forwarder destPort as "Destination Port" connectionType as "Forwarder Type" version as "Splunk Version" os as "Platform" status as "Current Status" lastConnected as "Last Connected" lastReceived as "Last Data Received" KB as "Total KB" eps as "Average Events Per Second" | fieldformat "Last Connected"=strftime('Last Connected', "%D %H:%M:%S %p") | fieldformat "Last Data Received"=strftime('Last Data Received', "%D %H:%M:%S %p"

araitz
Splunk Employee
Splunk Employee

The fieldformat command is used to make the field in question appear in Splunk Web as a proper human readable time but still be sortable as epoch time. I'm afraid there isn't a simple workaround other than to adjust your alerting search to use the strftime option in eval.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...