Getting Data In

How do I constantly check the log if a connection is up or not?

timmag
Explorer

I have a host and source.
host="xyz" source="abc"

They give me results every minute whether the connection is up or not. My question is how do I write a query that continuously keeps checking the connection every minute and shows up if everything is fine and shows down if there is a connection fail for greater than 5 mins (i.e. the log would contain the connection is down 5 times)

0 Karma

splunker12er
Motivator
Makeresults| tstats max(_indextime) as recentTime where index=* by index host source | eval age=now()-recentTime | search age>60
0 Karma

timmag
Explorer

I'm not sure I understood that. What is Makeresults?

0 Karma

splunker12er
Motivator

Make your results 🙂

Index=* host=hostname source=sourcename| above query

0 Karma

timmag
Explorer

Oopsy. Got it. But, I was getting this error: Error in 'tstats' command: This command must be the first command of a search... So I thought, that was something. 😛

0 Karma

timmag
Explorer

I still don't get it. Even if I try using simple stats command, it returns index error

0 Karma

MKowalewski
Engager

| makeresults [| tstats max(_indextime) as recentTime where index=* by index host source | eval age=now()-recentTime | search age>60]
@timmag this sould work fine

0 Karma

p_gurav
Champion

You can use | metadata type=hosts and then select fields you want and apply condition.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...