topic Re: SysLog based Alert in Splunk Search

SysLog based Alert

asarolkar — Mon, 28 Sep 2020 12:25:58 GMT

I am trying to set up an Alert for syslog (udp:514) - and this is the search condition I use:

sourcetype="syslog" TCP_DST_PORT="31621" | eval timeStamp=date_year."-".date_month."-".date_mday.":".date_hour.":".date_minute.":".date_second | table timeStamp, count(eval(TCP_TYPE="TCP_Client_Accepted")) as F5_ACCEPT, count(eval(TCP_TYPE="TCP_Node_Connected")) as F5_CONNECT | eval F5_MISSED=F5_ACCEPT-F5_CONNECT  | WHERE F5_MISSED>2

Note that syslog is the log in Splunk that captures transmitted messages on udp:514

Note also that date _ year, date _ month, date _ mday, date _ hour, date _ minute, date _ second are all populated

This is what I expect in the CSV alert that in the email.

|| YYYY-MM-DD:HH:MM:SS || F5_ ACCEPT || F5_CONNECT || F5_ MISSED ||

But that search does not currently work. Any suggestions ?

Re: SysLog based Alert

jonuwz — Thu, 13 Sep 2012 09:49:09 GMT

Don't think you can use table like that.

What you're trying to do is get statistics for your F5s connect rate per second

The field _time is easier to manipulate than all the date parts - you can format the _time field later.

sourcetype="syslog" TCP_DST_PORT="31621" 
| bin _time span=1s
| stats count(eval(TCP_TYPE=="TCP_Client_Accepted")) as F5_ACCEPT, count(eval(TCP_TYPE=="TCP_Node_Connected")) as F5_CONNECT by _time 
| eval F5_MISSED=F5_ACCEPT-F5_CONNECT  
| WHERE F5_MISSED>2
| eval timestamp=strftime(_time),"%%Y-%m-%d:%H:%M:%S")
| table timestamp F5_ACCEPT F5_CONNECT F5_MISSED

Does the above search show the results you need ?

Re: SysLog based Alert

asarolkar — Thu, 13 Sep 2012 16:39:00 GMT

that worked out well. I guess I could have also tried using separate evals and then lump them together

yours looks much more profesional .. thank you