Re: SPL

navan1 · ‎11-08-2022

Hi All,

How to find more than 3 heartbeat failure with failure reason from same host in a day and put in a table?

I am currently using below search,

Index="my index" sourcetype="my sourcetype" action="heartbeatfailure"
|bucket _time span=day
|stats count by _time host action failure_reason
|where count>2

As the failure reason is different i am unable to get result for the same host in past 24 hrs. How to get stats count by _time, host, action with failure_reason in same table?

johnhuang · ‎11-08-2022

One of these could work:

index="my index" sourcetype="my sourcetype" action="heartbeatfailure" 
| bucket _time span=1d
| eventstats count BY _time host action 
| table _time host action failure_reason count
| where count>2

index="my index" sourcetype="my sourcetype" action="heartbeatfailure" 
| bucket _time span=1d
| stats count values(failure_reason) AS failure_reason BY _time host action
| table _time host action failure_reason count
| where count>2

ITWhisperer · ‎11-08-2022

Index="my index" sourcetype="my sourcetype" action="heartbeatfailure" 
|bucket _time span=day
|stats count values(failure_reason) as failure_reason by _time host action
|where count>2

How to find more than 3 heartbeat failure with failure reason from same host in a day and put in a table?

stats

table

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?