Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

URL Monitoring issue

jackin
Path Finder
‎01-24-2022 12:26 AM

Hello,
We have a few URLs being monitored by a Splunk alert(query pasted below for reference) by making use of the "Website Monitoring" add on.

index=myindex sourcetype="web_ping"
[| inputlookup URL.csv]
| streamstats count by response_code url
| where count>=2 and response_code>=300
| eval Timestamp=strftime(_time ,"%d/%m/%Y %H:%M:%S"),Status="Failure"
| rename response_code as "HTTP Response Code" url as URL
| dedup URL
| table Timestamp "HTTP Response Code" URL Status

 Here the problem is 
we are receiving response_code and response_time fields as empty like below 

proxy_server="" title=abc.com timed_out=False proxy_port="" url=https://abc.com total_time="" request_time="" timeout=120 response_code="" proxy_type=http

can anyone suggest to resolve (troubleshooting steps) this issue.

0 Karma
Reply

SinghK
Builder
‎01-24-2022 01:10 AM

Thats an issue with that add-on. I think you need to highlight that to developer. Or you need to readjust the frequency it polls or reduce no of urls on the hf where addon is .

But I used to eval that empty code as 404 or url unreachable  and then you will have value instead of empty value.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-24-2022 12:30 AM

Hi @jackin,

what is the problem: aren't the missed fields extracted from logs or what else?

could you share some samples of your logs, bolding the missed fields?

Ciao.

Giuseppe

0 Karma
Reply

jackin
Path Finder
‎01-24-2022 12:43 AM

Hi @gcusello 

jackin_0-1643013685736.png

Like above snap some fileds are empty

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-24-2022 12:46 AM

Hi @jackin,

the question is: are they empty because they aren't present or because there's a parsing error?

for this reason I asked a sample of your log, with the missing values.

Ciao.

Giuseppe

0 Karma
Reply

jackin
Path Finder
‎01-24-2022 01:30 AM

Hi @gcusello 

For ex: we are trying to access one of the url htttps://.... , so basically it is giving as HTTP Error 503 , But Splunk is showing HTTPP response code as null .

So, we can say that it's a parsing error

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-24-2022 01:59 AM

Hi @jackin,

This means that there's a parsing error, if you could share a sample of your logs, I could help you to create another field extraction.

Ciao.

Giuseppe

0 Karma
Reply

jackin
Path Finder
‎01-24-2022 02:15 AM

Hi @gcusello 

Thanks for help

where it is available ? 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-24-2022 02:24 AM

Hi @jackin,

As I said, probably there's a parsing error in your TA, so the easiest way is to create a new field extraction.

But to do this, I need that you share a sample of your logs.

Ciao.

Giuseppe

0 Karma
Reply

jackin
Path Finder
‎01-24-2022 02:46 AM

Hi @gcusello 

I am asking which logs you need and where it is available 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-24-2022 02:52 AM

Hi @jackin,

you could send the logs that you have in the print screen you shared.

Ciao.

Giuseppe

0 Karma
Reply

jackin
Path Finder
‎01-24-2022 03:07 AM

Hi @gcusello 

 

PFB log

proxy_server="" title=internal-onyxquals-738401111.eu-west-1.elb.amazonaws.com timed_out=True proxy_port="" url=https://internal-onyxquals-738401111.eu-west-1.elb.amazonaws.com/view/adminLogin.jsp total_time="" request_time="" timeout=120 response_code="" proxy_type=http

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-24-2022 03:30 AM

Hi @jackin,

if this is your row log, you cannot do anything because the values are missing in the source; it isn't a parsing error.

You could force response_code="504"  and response_time=_time-120, something like this:

| eval response_code=if(timed_out="True",504,response_code), response_time=if(timed_out="True",_time-120,response_code)

Ciao.

Giuseppe

0 Karma
Reply

SinghK
Builder
‎01-24-2022 03:40 AM

As I said earlier the add-on starts doing this when the no of tests increase on the hf it's installed. There is no fix to this just a work around only if you know your url is up when response code field is empty

|eval response_code = if ( response_code= "", "200" , response_code)

This will update empty response code as 200 else will keep what ever response code is there in actual event. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...