Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Missing forwarders alert format

reedmohn
Communicator
‎12-21-2012 04:59 AM

I've set up alerting for missing forwarders in Deployment Monitor.
Works fine, but I've noticed that the "Last connected" field is not formatted, I just get the raw seconds value, in the e-mail alert (results are sent inline).

Anyone know why that happens?
The search query includes a "fieldformat .... =strftime(.." operation which works fine in the web interface.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎02-19-2013 09:16 AM

The fieldformat command is used to make the field in question appear in Splunk Web as a proper human readable time but still be sortable as epoch time. I'm afraid there isn't a simple workaround other than to adjust your alerting search to use the strftime option in eval.

View solution in original post

Reply
Solved! Jump to solution

jonahcofer
Engager
‎06-14-2013 02:45 PM

Just stumbled upon this, you may have already got this working. When you add the convert ctime() AS timestamp after your timeformat the conversion will be applied to your email alert.

Here's what I have.

`all_forwarders` | search status="missing" | sort - lastConnected | fields sourceHost sourceIp connectionType os lastConnected status | rename sourceHost AS "Forwarder" sourceIp AS "Source IP" connectionType AS "Forwarder Type" os AS "OS" lastConnected AS "Last Connected" status AS "Current Status" | convert timeformat="%b %d, %Y %I:%m %p" ctime("Last Connected") | convert ctime(lastConnected) AS timestamp

P.S. Make sure timestamp is all lowercase or it will show up in your result columns. 🙂

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎03-12-2013 07:11 AM

See the all_fowarders.xml file and you'll find the search query to pipe the saved search into such that you can have it pretty formatted. Remember to use the proper time ranges and replace the single quotes with ticks.

'all_forwarders' | eval KB = round(KB, 4) | eval eps = round(eps, 4) | fields sourceHost destPort connectionType version os lastConnected lastReceived status KB eps | rename sourceHost as Forwarder destPort as "Destination Port" connectionType as "Forwarder Type" version as "Splunk Version" os as "Platform" status as "Current Status" lastConnected as "Last Connected" lastReceived as "Last Data Received" KB as "Total KB" eps as "Average Events Per Second" | fieldformat "Last Connected"=strftime('Last Connected', "%D %H:%M:%S %p") | fieldformat "Last Data Received"=strftime('Last Data Received', "%D %H:%M:%S %p"

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎02-19-2013 09:16 AM

The fieldformat command is used to make the field in question appear in Splunk Web as a proper human readable time but still be sortable as epoch time. I'm afraid there isn't a simple workaround other than to adjust your alerting search to use the strftime option in eval.

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...