topic Re: How do you get the value from a tabular event for alerting? in Splunk Search

How do you get the value from a tabular event for alerting?

raj_mpl — Wed, 02 Jan 2019 11:22:18 GMT

Hi my log event will be in a tabular format like below

program status Group Lag Time

ABC RUNNING process1 00:03:05 00:00:04

ABC RUNNING process2 00:06:20 00:00:02

Now I want to write an alert condition when Lag is greater than 30 minutes . How do I achieve this ?

Thank you

Re: How do you get the value from a tabular event for alerting?

whrg — Wed, 02 Jan 2019 12:22:02 GMT

The convert dur2sec() function is what you are looking for:

your base search
| convert dur2sec(Lag) AS Lag_in_secs
| where Lag_in_secs>30*60

Re: How do you get the value from a tabular event for alerting?

raj_mpl — Wed, 02 Jan 2019 16:40:46 GMT

Hi @whrg , thanks for your reply on this the first row that I mentioned is actually contained program status Group (lag point), (Time point)
Like below

program status Group Lag point Time point
ABC RUNNING process1 00:03:05 00:00:04
ABC RUNNING process2 00:06:20 00:00:02

So now please let me know what would be the command to split them both , I need to write condition on both lag point and Time point

Re: How do you get the value from a tabular event for alerting?

whrg — Wed, 02 Jan 2019 19:05:35 GMT

I'm not sure I understand. What do you mean by splitting them both? Do you want the alert to trigger when either Lag point or Time point exceeds 30 minutes?

Re: How do you get the value from a tabular event for alerting?

raj_mpl — Wed, 02 Jan 2019 20:02:57 GMT

Yes absolutely , and a single event itself contains all the 3 rows in a tabular format .. I want to make 1st row as fields (program,stats,group,lap point,Time point)

Re: How do you get the value from a tabular event for alerting?

whrg — Wed, 02 Jan 2019 20:37:00 GMT

So your event is multiline and you are only interested in the "process1" line?

Check out this field extraction:

| makeresults count=1 | eval _raw="program status Group Lag point Time point
ABC RUNNING process1 00:03:05 00:00:04
ABC RUNNING process2 00:06:20 00:00:02"
| rex field=_raw "(?<program>\S+)\s+(?<status>\S+)\s+(?<group>\S+)\s+(?<lag_point>\d+:\d+:\d+)\s+(?<time_point>\d+:\d+:\d+)"

You might be better off indexing your logs as CSV files. This way, the fields are automatically extracted.

Re: How do you get the value from a tabular event for alerting?

raj_mpl — Thu, 03 Jan 2019 02:09:47 GMT

Iam trying to achieve using mulikv command bro like

sourcetype = mydata | multikv forceheader=2| ......

Something like above query I need , it's a tabular data and Iam interested in "lag point' and "time point" .. which Iam not able to extract as fields

Re: How do you get the value from a tabular event for alerting?

sdchakraborty — Thu, 03 Jan 2019 06:14:20 GMT

Hi @raj_mpl ,

You need to tweak the multikv extracttion using the multikv.conf file. code below,

[demo_mkv]
header.start = "program"
header.linecount = 1
header.tokens = _tokenize_, -1," "
body.tokens = _tokenize_,-1, " "

You need to place this conf file in local/default folder in your app as multikv.conf. Ans restart splunk. I indexed the data in main index and the below query working for me. Then you can use your own logic on lag field.

index=main 
|  multikv conf=demo_mkv

I have discussed the same stuff below,

https://youtu.be/8kWgDVZZ0GQ

Sid

Re: How do you get the value from a tabular event for alerting?

raj_mpl — Thu, 03 Jan 2019 06:26:34 GMT

Hi @sdchakraborty , Thanks for your reply on this
I need to do this using search head only ., Gone through your video about multikv its worth and good stuff
So when I fire this sourcetype=mysourcetype| multikv forceheader=2 , I am getting two fields named as Lag and Time . I believe Splunk extracted the filed name of Lag Point as Lag and Time point as Time .
Now help me with a query to build an alert to check when Lag OR Time is greater than 15 minutes

Thank you

Re: How do you get the value from a tabular event for alerting?

raj_mpl — Tue, 29 Sep 2020 22:38:31 GMT

So I developed a Query like below

Please correct me if anything wrong here .

Re: How do you get the value from a tabular event for alerting?

sdchakraborty — Thu, 03 Jan 2019 06:42:15 GMT

This query looks good.
Sid

Re: How do you get the value from a tabular event for alerting?

raj_mpl — Thu, 03 Jan 2019 06:51:30 GMT

Thanks Sid

Re: How do you get the value from a tabular event for alerting?

raj_mpl — Tue, 29 Sep 2020 22:38:34 GMT

Hi @whrg

Developed the query like below

Please correct me if anything wrong here .

Re: How do you get the value from a tabular event for alerting?

whrg — Thu, 03 Jan 2019 07:53:13 GMT

I think it needs to be: multikv forceheader=1

Re: How do you get the value from a tabular event for alerting?

raj_mpl — Thu, 03 Jan 2019 11:00:46 GMT

Yes , My event will start with a timestamp and some other information in first line
so multikv forceheader=2 , worked for me 🙂