topic Re: Using Stats and Eval (and adding timestamps) in Splunk Search

Using Stats and Eval (and adding timestamps)

asarolkar — Mon, 28 Sep 2020 12:31:35 GMT

I am monitoring myserver logs file created by BEA using a universal forwarder on the BEA instance.

I want to create an alert that log indicates a failure to connect to CISCO.

The search string in my alert looks like this.

sourcetype="myserver" | search "Could not open connection with host: cisco1.cisco.net and port: 101" | stats count as connectionFailure  WHERE connectionFailure>0 | eval hourTimeStamp= date_hour.":".date_minute.":".date_second | fields hourTimeStamp,connectionFailure

Note that date_hour, date_minute and date_second are all populated.

However this search does not seem to be working and i reckon its because I am not using eval and stats in the right manner

Any suggestions on how to better this ?

The goal of the Alert is to do two things

i) Run this search every 5 minutes so that connectionFailures are detected (count how many)

ii) TimeStamp the event.

If I get the search, I can set the alert myself.

Re: Using Stats and Eval (and adding timestamps)

lguinn2 — Thu, 27 Sep 2012 23:12:20 GMT

It is unclear what you need the timestamp for... Splunk knows the time period of the search and you do not need to create a timestamp. But I included a field that contains the time that the search started minus 5 minutes.

sourcetype="myserver"  "Could not open connection with host: cisco1.cisco.net and port: 101" 
| stats count as connectionFailure
| eval searchStartTime=relative_time(now(),"-5m")
| fieldFormat searchStart = strftime(searchStartTime,"$H:$M:$S")

Re: Using Stats and Eval (and adding timestamps)

melting — Thu, 27 Sep 2012 23:19:20 GMT

It looks like you are trying to use eval for concatentation, that would look like:

... | eval hourTimeStamp= date_hour + ":" + date_minute + ":" +date_second |

Re: Using Stats and Eval (and adding timestamps)

asarolkar — Thu, 27 Sep 2012 23:24:03 GMT

| eval searchStartTime=relativetime(now,"-5,")

are you sure this is allowed ? Splunk says it does not know of a relativetime() method

Re: Using Stats and Eval (and adding timestamps)

melting — Thu, 27 Sep 2012 23:59:39 GMT

We are close, it is :

eval searchStartTime=relative_time(now(), "-5m")

other eval commandes:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

Re: Using Stats and Eval (and adding timestamps)

lguinn2 — Fri, 28 Sep 2012 04:34:05 GMT

Sorry - melting saw my error... my typing really stunk on that one...