Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using Stats and Eval (and adding timestamps)

asarolkar
Builder
‎09-27-2012 04:06 PM

I am monitoring myserver logs file created by BEA using a universal forwarder on the BEA instance.

I want to create an alert that log indicates a failure to connect to CISCO.

The search string in my alert looks like this. 

sourcetype="myserver" | search "Could not open connection with host: cisco1.cisco.net and port: 101" | stats count as connectionFailure  WHERE connectionFailure>0 | eval hourTimeStamp= date_hour.":".date_minute.":".date_second | fields hourTimeStamp,connectionFailure

Note that date_hour, date_minute and date_second are all populated.

However this search does not seem to be working and i reckon its because I am not using eval and stats in the right manner

Any suggestions on how to better this ?

The goal of the Alert is to do two things


i) Run this search every 5 minutes so that connectionFailures are detected (count how many)


ii) TimeStamp the event.





If I get the search, I can set the alert myself.

0 Karma
Reply

melting
Splunk Employee
Splunk Employee
‎09-27-2012 04:19 PM

It looks like you are trying to use eval for concatentation, that would look like:

... | eval hourTimeStamp= date_hour + ":" + date_minute + ":" +date_second |
Reply

lguinn2
Legend
‎09-27-2012 04:12 PM

It is unclear what you need the timestamp for... Splunk knows the time period of the search and you do not need to create a timestamp. But I included a field that contains the time that the search started minus 5 minutes.

sourcetype="myserver"  "Could not open connection with host: cisco1.cisco.net and port: 101" 
| stats count as connectionFailure
| eval searchStartTime=relative_time(now(),"-5m")
| fieldFormat searchStart = strftime(searchStartTime,"$H:$M:$S")
Reply

lguinn2
Legend
‎09-27-2012 09:34 PM

Sorry - melting saw my error... my typing really stunk on that one...

0 Karma
Reply

melting
Splunk Employee
Splunk Employee
‎09-27-2012 04:59 PM

We are close, it is :

eval searchStartTime=relative_time(now(), "-5m")

other eval commandes:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

0 Karma
Reply

asarolkar
Builder
‎09-27-2012 04:24 PM

| eval searchStartTime=relativetime(now,"-5,")

are you sure this is allowed ? Splunk says it does not know of a relativetime() method

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...