Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need "events list" & "count by" in email AND when run on UI

MasterOogway
Communicator
‎11-05-2010 04:10 PM

I have the following command that does exactly what I need it to do....search for "eth_port_channel" and build a Regex that defines "port", and when "port is found count the number of times and if more than 100 times notify me.

Search: sourcetype=syslog_info ETH_PORT_CHANNEL AND down OR up | rex "port-channel(?\d+):" | stats count by port | sort - count | where count>=100

What I also need when receiving the email is the actual (events list) from the syslog search, not the actual count. Is there a way to ask for the "events list" and not get the "results table" in the output? Currently I am only getting the "Results Table" in the email notification.

pstein

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎11-05-2010 05:12 PM

What you might prefer is to break this up differently.

If you have the base search be everything before the stats clause:

sourcetype=syslog_info ETH_PORT_CHANNEL AND down OR up | rex "port-channel(?\d+):"

and in the alerting UI, if you set 'if custom condition is met', that allows you to basically run a postProcess search against the results and only trigger if that second search returns results...

So to follow your example, the "custom condition search" would be:

| stats count by port | sort - count | where count>=100

IF the number of events in the search is up in the tens-of-thousands, you might hit postProcess restrictions on accuracy, (where the second search only knows about the first N events and therefore it can get it wrong) Can anyone confirm or refute this potential problem?

In any event you might consider this split instead and it would make the base search a lot smaller, getting around the potential problem and making the email potentially more useful.

base search:

`sourcetype=syslog_info ETH_PORT_CHANNEL AND down OR up | rex "port-channel(?\d+):" | stats count by port | sort - count

custom condition search:

| where count>=100

View solution in original post

Reply
Solved! Jump to solution

Genti
Splunk Employee
Splunk Employee
‎11-05-2010 06:33 PM

how about this: 

sourcetype=syslog_info ETH_PORT_CHANNEL AND down OR up | rex "port-channel(?\d+):" | eventstats count by port | sort - count | where count>=100

Hope this helps,

.gz

Reply
Solved! Jump to solution

Genti
Splunk Employee
Splunk Employee
‎11-05-2010 10:06 PM

modified for a much simpler query

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎11-05-2010 05:12 PM

What you might prefer is to break this up differently.

If you have the base search be everything before the stats clause:

sourcetype=syslog_info ETH_PORT_CHANNEL AND down OR up | rex "port-channel(?\d+):"

and in the alerting UI, if you set 'if custom condition is met', that allows you to basically run a postProcess search against the results and only trigger if that second search returns results...

So to follow your example, the "custom condition search" would be:

| stats count by port | sort - count | where count>=100

IF the number of events in the search is up in the tens-of-thousands, you might hit postProcess restrictions on accuracy, (where the second search only knows about the first N events and therefore it can get it wrong) Can anyone confirm or refute this potential problem?

In any event you might consider this split instead and it would make the base search a lot smaller, getting around the potential problem and making the email potentially more useful.

base search:

`sourcetype=syslog_info ETH_PORT_CHANNEL AND down OR up | rex "port-channel(?\d+):" | stats count by port | sort - count

custom condition search:

| where count>=100

Reply
Solved! Jump to solution

MasterOogway
Communicator
‎11-05-2010 08:54 PM

I found this same resolution (custom conditional is met) while resolving a different issue. Once it was tested it worked perfectly.
I found a new favorite tool.
Thanks for the heads up.

MasterOogway

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...