Hi
Please help me understand what will this saved search do?
index=os sourcetype=splunk_health_check |eval value=delay_status |eval message=if(status=="OK","",status) |eval status=if(status=="OK",status,"NG") |eval score=if(value==99,-1,value) |table _time sh status score message |rename sh to searchhead |search score<5 AND status!="OK" message!="*No error" AND message!="Proxy Error"
source is a script.
for HOST in ${HOSTS}
do
URI=http://${HOST}:80
count=99
result=/opt/splunk/bin/splunk search "index=${INDEX} sourcetype=${SOURCETYPE} SPLUNK_HEALTH_CHECK |stats count" -earliest_time ${EARLIEST} -latest_time ${LATEST} -uri ${URI} -auth ${USER}:${PASS} -preview F -output csv -timeout ${TIMEOUT} 2>&1 |grep -v count |tr -d '\n' |sed 's/"//g'
if expr $result : '[0-9]*' > /dev/null 2>&1; then
count=$result
result="OK"
fi
date +"%Y-%m-%d %T sh=${HOST} status=\"${result}\" delay_status=$count"
done
it will
find events
index=os sourcetype=splunk_health_check
calculate some additional fields, value, message, status and score, drop other fields, and add the search-head name
|eval value=delay_status |eval message=if(status=="OK","",status) |eval status=if(status=="OK",status,"NG") |eval score=if(value==99,-1,value) |table _time sh status score message |rename sh to searchhead
and add a condition to drop all the events that do not meet the condition on score ,status and message
|search score<5 AND status!="OK" message!="*No error" AND message!="Proxy Error"
for HOST in ${HOSTS}
do
URI=http://${HOST}:80
count=99
result=/opt/splunk/bin/splunk search "index=${INDEX} sourcetype=${SOURCETYPE} SPLUNK_HEALTH_CHECK |stats count" -earliest_time ${EARLIEST} -latest_time ${LATEST} -uri ${URI} -auth ${USER}:${PASS} -preview F -output csv -timeout ${TIMEOUT} 2>&1 |grep -v count |tr -d '\n' |sed 's/"//g'
if expr $result : '[0-9]*' > /dev/null 2>&1; then
count=$result
result="OK"
fi
date +"%Y-%m-%d %T sh=${HOST} status=\"${result}\" delay_status=$count"
done