Splunk Search

How to create an alert for when the VPN goes down but only when the drop lasts more than 1 minute?

splunkcol
Contributor

Hi

I need to create an alert for when the VPN goes down but only when the drop lasts more than 1 minute.

I would appreciate your help

 

Right now I have the alert set to report any down events and then manually check which ones last longer than 1 minute.

index=paloalto |search EventID=tunnel-status-down OR EventID=tunnel-status-up

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

My first reply would not return results if the VPN was not down for more than a minute - I believe that's the expected scenario.  Then the alert just has to be configured to trigger when the search returns results - meaning the the VPN has been down for at least one minute.

My answer also assumed events would be in reverse time order, which is the default for Splunk searches.  Since your screenshot shows that's not the case, here is an updated search.

index=paloalto EventID=tunnel-status-down OR EventID=tunnel-status-up
| sort - _time
| dedup EventID Object
| where (EventID=tunnel-status-down AND _time < relative_time(now(),"-1m"))
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Look for where the last event is a status-down and it's been more than a minute since then.

index=paloalto |search EventID=tunnel-status-down OR EventID=tunnel-status-up
| dedup EventID
| where (EventID=tunnel-status-down AND _time < relative_time(now(),"-1m"))
---
If this reply helps you, an upvote would be appreciated.

splunkcol
Contributor

Hello, it did not bring me results.

This is the result when I only filter by the EventIDs, how can I calculate the time between the first down and the next up?

 

splunkcol_0-1652111461289.png

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

My first reply would not return results if the VPN was not down for more than a minute - I believe that's the expected scenario.  Then the alert just has to be configured to trigger when the search returns results - meaning the the VPN has been down for at least one minute.

My answer also assumed events would be in reverse time order, which is the default for Splunk searches.  Since your screenshot shows that's not the case, here is an updated search.

index=paloalto EventID=tunnel-status-down OR EventID=tunnel-status-up
| sort - _time
| dedup EventID Object
| where (EventID=tunnel-status-down AND _time < relative_time(now(),"-1m"))
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...