Re: How do I constantly check the log if a connect...

timmag · ‎04-06-2018

I have a host and source.
host="xyz" source="abc"

They give me results every minute whether the connection is up or not. My question is how do I write a query that continuously keeps checking the connection every minute and shows up if everything is fine and shows down if there is a connection fail for greater than 5 mins (i.e. the log would contain the connection is down 5 times)

splunker12er · ‎04-06-2018

Makeresults| tstats max(_indextime) as recentTime where index=* by index host source | eval age=now()-recentTime | search age>60

timmag · ‎04-06-2018

I'm not sure I understood that. What is Makeresults?

splunker12er · ‎04-06-2018

Make your results 🙂

Index=* host=hostname source=sourcename| above query

timmag · ‎04-06-2018

Oopsy. Got it. But, I was getting this error: Error in 'tstats' command: This command must be the first command of a search... So I thought, that was something. 😛

timmag · ‎04-06-2018

I still don't get it. Even if I try using simple stats command, it returns index error

MKowalewski · ‎04-06-2018

| makeresults [| tstats max(_indextime) as recentTime where index=* by index host source | eval age=now()-recentTime | search age>60]
@timmag this sould work fine

p_gurav · ‎04-06-2018

You can use | metadata type=hosts and then select fields you want and apply condition.

How do I constantly check the log if a connection is up or not?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation