Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Alerting
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Re: search correlated events
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search correlated events
gudavasr
Path Finder
05-28-2015
01:12 PM
I have a log like this: (this is from search...| transaction command)
[LOG|DEBUG|28 May 2015 15:42:28,722|com.XL.Source|Thread-19|-]
Deal - 123456 (New,PickedUp,3) notification received from Source
[END]
[LOG|DEBUG|28 May 2015 15:42:40,530|com.XL.Source|EngineThread1|-]
Deal - 123456 (New,PickedUp,3) - Publishing SAVED ack for the deal ...
[END]
This is the search:
source="**.log" ("(New*,Picked*" "notification received from Source" OR "SAVED ack")
| rex field=_raw "Deal -\s*(?<MW_Deal_Id>\d+) \("
| transaction MW_Deal_Id
| rex field=_raw "(?<MWDealBookedByUserTime>\d+ \w+ \d+ \d+:\d+:\d+,\d+)\|com.XL.Source\|Thread-*"
| rex field=_raw "(?<MWDealreceivedbyXLTime>\d+ \w+ \d+ \d+:\d+:\d+,\d+)\|com.XL.Source\|EngineThread"
| eval boo=strptime(MWDealBookedByUserTime, "%d %b %Y %H:%M:%S,%N")
| eval foo=strptime(MWDealreceivedbyXLTime, "%d %b %Y %H:%M:%S,%N")
| eval deal_duration_time_in_min = (foo - boo)/60
| eval dealDurationinMin=if(deal_duration_time_in_min>0, deal_duration_time_in_min, "Deal Still not saved in XL")
This one works fine as report, but as an alert that runs every 5 mins, it is sending false alerts.
Can you please help how can avoid false alert ?
i tried "grep -A" kind of search when this line is found
[LOG|DEBUG|28 May 2015 15:42:28,722|com.XL.Source|Thread-19|-]
but was not successful. hence I end up using above search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-28-2015
02:34 PM
Try this (not using transaction) and see if it works better:
source="**.log" ("(New*,Picked*" "notification received from Source" OR "SAVED ack")
| rex field=_raw "Deal -s*(?<MW_Deal_Id>d+) ("
| stats values(_raw) AS mutli_raw BY MW_Deal_Id
| rex field=mutli_raw"(?<MWDealBookedByUserTime>d+ w+ d+ d+:d+:d+,d+)|com.XL.Source|Thread-*"
| rex field=mutli_raw"(?<MWDealreceivedbyXLTime>d+ w+ d+ d+:d+:d+,d+)|com.XL.Source|EngineThread"
| eval boo=strptime(MWDealBookedByUserTime, "%d %b %Y %H:%M:%S,%N")
| eval foo=strptime(MWDealreceivedbyXLTime, "%d %b %Y %H:%M:%S,%N")
| eval deal_duration_time_in_min = (foo - boo)/60
| eval dealDurationinMin=if(deal_duration_time_in_min>0, deal_duration_time_in_min, "Deal Still not saved in XL")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gudavasr
Path Finder
05-28-2015
03:32 PM
for some reason it's not creating these fields:
MWDealBookedByUserTime and MWDealreceivedbyXLTime
and because of that it's not working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-28-2015
03:38 PM
OK, try this:
source="**.log" ("(New*,Picked*" "notification received from Source" OR "SAVED ack")
| rex "Deal -s*(?<MW_Deal_Id>d+) ("
| rex "(?<MWDealBookedByUserTime>d+ w+ d+ d+:d+:d+,d+)|com.XL.Source|Thread-*"
| rex "(?<MWDealreceivedbyXLTime>d+ w+ d+ d+:d+:d+,d+)|com.XL.Source|EngineThread"
| stats earliest(MWDealBookedByUserTime) AS MWDealBookedByUserTime
latest(MWDealreceivedbyXLTime) AS MWDealreceivedbyXLTime BY MW_Deal_Id
| eval boo=strptime(MWDealBookedByUserTime, "%d %b %Y %H:%M:%S,%N")
| eval foo=strptime(MWDealreceivedbyXLTime, "%d %b %Y %H:%M:%S,%N")
| eval deal_duration_time_in_min = (foo - boo)/60
| eval dealDurationinMin=if(deal_duration_time_in_min>0, deal_duration_time_in_min, "Deal Still not saved in XL")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gudavasr
Path Finder
05-28-2015
03:54 PM
little better..I will try this and update this question.
Thank You.
Get Updates on the Splunk Community!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...
They're back! Join the SplunkTrust and MVP at .conf24
With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...
Enterprise Security Content Update (ESCU) | New Releases
Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...
