Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Missing forwarders alert format

reedmohn
Communicator
‎12-21-2012 04:59 AM

I've set up alerting for missing forwarders in Deployment Monitor.
Works fine, but I've noticed that the "Last connected" field is not formatted, I just get the raw seconds value, in the e-mail alert (results are sent inline).

Anyone know why that happens?
The search query includes a "fieldformat .... =strftime(.." operation which works fine in the web interface.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎02-19-2013 09:16 AM

The fieldformat command is used to make the field in question appear in Splunk Web as a proper human readable time but still be sortable as epoch time. I'm afraid there isn't a simple workaround other than to adjust your alerting search to use the strftime option in eval.

View solution in original post

Reply
Solved! Jump to solution

jonahcofer
Engager
‎06-14-2013 02:45 PM

Just stumbled upon this, you may have already got this working. When you add the convert ctime() AS timestamp after your timeformat the conversion will be applied to your email alert.

Here's what I have.

`all_forwarders` | search status="missing" | sort - lastConnected | fields sourceHost sourceIp connectionType os lastConnected status | rename sourceHost AS "Forwarder" sourceIp AS "Source IP" connectionType AS "Forwarder Type" os AS "OS" lastConnected AS "Last Connected" status AS "Current Status" | convert timeformat="%b %d, %Y %I:%m %p" ctime("Last Connected") | convert ctime(lastConnected) AS timestamp

P.S. Make sure timestamp is all lowercase or it will show up in your result columns. 🙂

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎03-12-2013 07:11 AM

See the all_fowarders.xml file and you'll find the search query to pipe the saved search into such that you can have it pretty formatted. Remember to use the proper time ranges and replace the single quotes with ticks.

'all_forwarders' | eval KB = round(KB, 4) | eval eps = round(eps, 4) | fields sourceHost destPort connectionType version os lastConnected lastReceived status KB eps | rename sourceHost as Forwarder destPort as "Destination Port" connectionType as "Forwarder Type" version as "Splunk Version" os as "Platform" status as "Current Status" lastConnected as "Last Connected" lastReceived as "Last Data Received" KB as "Total KB" eps as "Average Events Per Second" | fieldformat "Last Connected"=strftime('Last Connected', "%D %H:%M:%S %p") | fieldformat "Last Data Received"=strftime('Last Data Received', "%D %H:%M:%S %p"

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎02-19-2013 09:16 AM

The fieldformat command is used to make the field in question appear in Splunk Web as a proper human readable time but still be sortable as epoch time. I'm afraid there isn't a simple workaround other than to adjust your alerting search to use the strftime option in eval.

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...