Hello
I'm a splunk newbie, be gentle please.
I'm try to monitoring my VPNs status with splunk, unfortunately my firewall does not log vpn up or down.
So I made a powershell script that makes every 4 minutes a set of pings to an IP on the destination site of each VPN.
Each ping gets exported to a csv file, automatically renamed with timestamp to a new source file name from each vpn.
My search string is:
index=ping | eval Procent=if(like(_raw, "%100%" ), "DOWN" , "UP") | table _time , VPN , Procent , SyncOff | sort VPN , -_time | dedup VPN
Procent stands for set of pings that are 100% lost.
Works perfectly so far.
But I wanted to have the "SyncOff" field to tell me if one of the VPN's hasn't been pinged in the last 10min, due to a powershell script malfunction or whatever.
So in short, if _time is less then 10min, set field Syncoff to "Out of Sync".
Can anybody help me with this, please?
First, by default, splunk returns the most recent record first, so your sort
, while correct, is redundant. Also, sort
has an implicit limit on the number of records it returns, so get in the habit of coding it | sort 0
so it doesn't drop any records that are over the limit.
You only need the most recent record for each VPN, so you can run dedup right out of the box. The only non internal field you are using is VPN, so you can use the fields
command as soon as possible to get rid of everything else. (Internal fields like _time
and _raw
will stick around until the table
command.)
index=ping
| fields VPN
| dedup VPN
| eval Procent=if(like(_raw, "%100%" ), "DOWN" , "UP")
| table _time, VPN, Procent, SyncOff
Second, epoch time is in seconds, so the epoch time for "ten minutes before the search began" is now() - 600
, and the number of seconds before the search began that an event occurred is calculated as now() - _time
.
| eval SyncOff=if(now() - _time > 600, "Out of Sync", "In Sync")
First, by default, splunk returns the most recent record first, so your sort
, while correct, is redundant. Also, sort
has an implicit limit on the number of records it returns, so get in the habit of coding it | sort 0
so it doesn't drop any records that are over the limit.
You only need the most recent record for each VPN, so you can run dedup right out of the box. The only non internal field you are using is VPN, so you can use the fields
command as soon as possible to get rid of everything else. (Internal fields like _time
and _raw
will stick around until the table
command.)
index=ping
| fields VPN
| dedup VPN
| eval Procent=if(like(_raw, "%100%" ), "DOWN" , "UP")
| table _time, VPN, Procent, SyncOff
Second, epoch time is in seconds, so the epoch time for "ten minutes before the search began" is now() - 600
, and the number of seconds before the search began that an event occurred is calculated as now() - _time
.
| eval SyncOff=if(now() - _time > 600, "Out of Sync", "In Sync")
Thanks, exactly what I wanted. Works like a charm.
I think relative_time
is what your looking for
This will give you epoch time of 10 minute ago relative to now. Then if you want to test against this time, just add the extra conditional logic
| eval ten_min_ago=relative_time(now(), "-10m@m")
| eval test_the_script=if('Last_Script_Run'>'ten_min_ago',"He's dead Jim","Success")
@skoelpin - This works, but with comparing epoch time fields against a constant time difference, you can just use the number of seconds as a shortcut. Your method is absolutely what would be needed if the time being checked was "one month" or "one quarter" or "one year", which are not fixed numbers of seconds.
Yeah agreed, I like your solution better