Re: How do I constantly check the log if a connect...

timmag · ‎04-06-2018

I have a host and source.
host="xyz" source="abc"

They give me results every minute whether the connection is up or not. My question is how do I write a query that continuously keeps checking the connection every minute and shows up if everything is fine and shows down if there is a connection fail for greater than 5 mins (i.e. the log would contain the connection is down 5 times)

splunker12er · ‎04-06-2018

Makeresults| tstats max(_indextime) as recentTime where index=* by index host source | eval age=now()-recentTime | search age>60

timmag · ‎04-06-2018

I'm not sure I understood that. What is Makeresults?

splunker12er · ‎04-06-2018

Make your results 🙂

Index=* host=hostname source=sourcename| above query

timmag · ‎04-06-2018

Oopsy. Got it. But, I was getting this error: Error in 'tstats' command: This command must be the first command of a search... So I thought, that was something. 😛

timmag · ‎04-06-2018

I still don't get it. Even if I try using simple stats command, it returns index error

MKowalewski · ‎04-06-2018

| makeresults [| tstats max(_indextime) as recentTime where index=* by index host source | eval age=now()-recentTime | search age>60]
@timmag this sould work fine

p_gurav · ‎04-06-2018

You can use | metadata type=hosts and then select fields you want and apply condition.

How do I constantly check the log if a connection is up or not?

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor