topic Re: Splunk search string to send an email alert when the TNS Ping is greater than 5000msecs in Splunk Search

Splunk search string to send an email alert when the TNS Ping is greater than 5000msecs

Isaias_Garcia — Mon, 28 Sep 2020 15:41:54 GMT

Hello-

I have this log in Splunk:

2014-01-22 17:18:11,509 INFO ben.benactiond: Event:'db1xxx-yyy.xxxx|LISTENER_db0100000-dr.xxxxx|/OEM/Alert|3|"OEM Event Listener response to a TNS ping is 450 msecs. Detail in OEM at //xxxx.xxxx:xxxxx/redirect?pageType=sdk-core-event-console-detailEvent&issueID=F071CFED50B45B79E043E403490A20CB"' Trigger:OEMAlert_Warning Action:email Status:SUCCESS

Question: I want Splunk to send an email alert everytime the TNS Ping is greater than 5000msecs. What search strings should I use? Thank you in advance

Re: Splunk search string to send an email alert when the TNS Ping is greater than 5000msecs

lguinn2 — Wed, 22 Jan 2014 11:42:37 GMT

Try this

yoursearchhere
| rex "TNS ping is (?<TNSping>\d+) msecs"
| where TNSping > 5000

and set the alert to trigger if number of events is greater than zero.

Re: Splunk search string to send an email alert when the TNS Ping is greater than 5000msecs

Isaias_Garcia — Thu, 23 Jan 2014 01:21:36 GMT

Hi Iguinn-

Thanks for your help.I tried your suggestion by doing this seach string:

"OEM Event Listener response to a TNS ping is | rex "TNS ping is (?\d+) msecs" | where TNSping > 5000"

And I got this results:
2014-01-23 09:04:07,401 INFO xxx.xxx: Event:'xxxx|LISTENER_xxxxx|/xxx/xxx3|"OEM Event Listener response to a TNS ping is 540 msecs.....

2014-01-23 08:09:04,866 INFO zxxx.xxx: Event:'xxxx|LISTENER_xxxxx|/xxx/xxx3|"OEM Event Listener response to a TNS ping is 740 msecs. ....

2014-01-23 02:13:42,328 INFO xxx.xxx: Event:'xxxx|LISTENER_xxxxx|/xxx/xxx3|"OEM Event Listener response to a TNS ping is 530 msecs.....

It seems working, however, what I am getting is a TNS ping that is greater than 500 and not 5000. Perhaps it just needs some tweaking on the search. Please advise.

Re: Splunk search string to send an email alert when the TNS Ping is greater than 5000msecs

lguinn2 — Thu, 23 Jan 2014 05:52:23 GMT

Huh. That's odd. But maybe we should make sure that TNSping is a number, like this

yoursearchhere | rex "TNS ping is (?<TNSping>\d+) msecs" | convert num(TNSping) as TNSping | where TNSping > 5000

Re: Splunk search string to send an email alert when the TNS Ping is greater than 5000msecs

Isaias_Garcia — Thu, 23 Jan 2014 06:19:37 GMT

Hi Iguinn -

Thank you.I appreciate your help..However, I'm still getting the same > 500 results instead of > 5000 after trying your suggestions:(
Please advise

Re: Splunk search string to send an email alert when the TNS Ping is greater than 5000msecs

lguinn2 — Thu, 23 Jan 2014 06:35:18 GMT

Let's test by running this search:

yoursearchhere | rex "TNS ping is (?<TNSping>\d+) msecs" | convert num(TNSping) as TNSping

After the search runs, see if you can find the TNSping field in the sidebar on the left. (You may have to run the search in "verbose" mode.)

Click on the field name in the sidebar and add TNSping to the "selected fields." Now the TNSping value should show up beneath each event, along with the host, source and sourcetype. Does the value of TNSping make sense?

Re: Splunk search string to send an email alert when the TNS Ping is greater than 5000msecs

linu1988 — Thu, 23 Jan 2014 06:45:09 GMT

Got it now, you extracted the field as (?d+)

tnsping and you are comparing with TNSping which doesnt even exist. Makes sure you always use the exact field name 🙂

Re: Splunk search string to send an email alert when the TNS Ping is greater than 5000msecs

lguinn2 — Thu, 30 Jan 2014 08:00:07 GMT

@linu1988 - good eye - that is the problem with the search that @Isaias.Garcia is running!

Re: Splunk search string to send an email alert when the TNS Ping is greater than 5000msecs

Isaias_Garcia — Mon, 03 Feb 2014 01:50:16 GMT

Hi Iguinn/linu

Thanks for your responses..Im still getting "greater than 500" value instead of "5000" after fixing all the search strings.

This is the search string I used per your suggestions:

OEM Event Listener response to a TNS ping is | rex "TNS ping is (?\d+) msecs" | convert num(TNSping) as TNSping | where TNSping > "5,000"

However the results are still "greater than 500"

2014-02-03 09:26:18,913 INFO zen.zenactiond: Event:'xxxxx-xxxxx.xxxxx|LISTENERxxxxx-xxxxx.xxxxx|/OEM/Alert|3|"OEM Event Listener response to a TNS ping is 650 msecs. 2014-02-03 09:26:18,794 INFO zen.zenactiond: Event:'xxxxx-xxxxx.xxxxx|LISTENERxxxxx-xxxxx.xxxxx|/OEM/Alert|3|"OEM Event Listener response to a TNS ping is 650 msecs.

Please advise. I really appreciate your help on this,. Thanks

Re: Splunk search string to send an email alert when the TNS Ping is greater than 5000msecs

linu1988 — Mon, 03 Feb 2014 17:34:39 GMT

where did the field go?

| rex "TNS ping is (?\d+) msecs"

Re: Splunk search string to send an email alert when the TNS Ping is greater than 5000msecs

lguinn2 — Tue, 11 Feb 2014 23:54:27 GMT

As @linu1988 said - what happened to the field? Also, TNSping is not a string and you can't do > for strings anyway, so your where command will not work. Try this, carefully:

OEM Event Listener response to a TNS ping is | rex "TNS ping is (?<TNSping>\d+) msecs" | where TNSping > 5000