Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Missing forwarders alert format

reedmohn
Communicator
‎12-21-2012 04:59 AM

I've set up alerting for missing forwarders in Deployment Monitor.
Works fine, but I've noticed that the "Last connected" field is not formatted, I just get the raw seconds value, in the e-mail alert (results are sent inline).

Anyone know why that happens?
The search query includes a "fieldformat .... =strftime(.." operation which works fine in the web interface.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎02-19-2013 09:16 AM

The fieldformat command is used to make the field in question appear in Splunk Web as a proper human readable time but still be sortable as epoch time. I'm afraid there isn't a simple workaround other than to adjust your alerting search to use the strftime option in eval.

View solution in original post

Reply
Solved! Jump to solution

jonahcofer
Engager
‎06-14-2013 02:45 PM

Just stumbled upon this, you may have already got this working. When you add the convert ctime() AS timestamp after your timeformat the conversion will be applied to your email alert.

Here's what I have.

`all_forwarders` | search status="missing" | sort - lastConnected | fields sourceHost sourceIp connectionType os lastConnected status | rename sourceHost AS "Forwarder" sourceIp AS "Source IP" connectionType AS "Forwarder Type" os AS "OS" lastConnected AS "Last Connected" status AS "Current Status" | convert timeformat="%b %d, %Y %I:%m %p" ctime("Last Connected") | convert ctime(lastConnected) AS timestamp

P.S. Make sure timestamp is all lowercase or it will show up in your result columns. 🙂

0 Karma
Reply
Solved! Jump to solution

sloshburch
Ultra Champion
‎03-12-2013 07:11 AM

See the all_fowarders.xml file and you'll find the search query to pipe the saved search into such that you can have it pretty formatted. Remember to use the proper time ranges and replace the single quotes with ticks.

'all_forwarders' | eval KB = round(KB, 4) | eval eps = round(eps, 4) | fields sourceHost destPort connectionType version os lastConnected lastReceived status KB eps | rename sourceHost as Forwarder destPort as "Destination Port" connectionType as "Forwarder Type" version as "Splunk Version" os as "Platform" status as "Current Status" lastConnected as "Last Connected" lastReceived as "Last Data Received" KB as "Total KB" eps as "Average Events Per Second" | fieldformat "Last Connected"=strftime('Last Connected', "%D %H:%M:%S %p") | fieldformat "Last Data Received"=strftime('Last Data Received', "%D %H:%M:%S %p"

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎02-19-2013 09:16 AM

The fieldformat command is used to make the field in question appear in Splunk Web as a proper human readable time but still be sortable as epoch time. I'm afraid there isn't a simple workaround other than to adjust your alerting search to use the strftime option in eval.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...