- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Search with limited time clause
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
I'm quite new to the wonderful world of Splunk, but not new to monitoring or IT in general. We are optimizing our operations processes and I'd like to get a state of the last 24h of our environment, specifically our Firewall status. It sends all it's logging to Splunk and I've created the following filter to find all the errors, but it's not working:
host="hostname" AND ( CASE(CONFIG) CASE(commit*) NOT Succeeded ) OR "snmpd.log due to log overflow" OR ( ("TS-Agent" AND "connect-agent-failure") | where NOT (date_hour >= 1 AND date_hour < 5) )
It gives me back: "Error in 'search' command: Unable to parse the search: unbalanced parentheses."
The last part of the filer (TS-Agent and so on) has to be filtered because I wish to exclude a timeframe from the results (reboot schedule of said servers), however, the other searches need to be from all the time (e.g. the last 24h or whatever I set).
I think I'm doing something wrong or things just don't work like I expect. I hope you folks can help me out or point me in the right direction. I'd like to get all the errors on one tile so I can see if I can get my coffee in the morning slowly or fast 😉 Many thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Bastiaan,
as I said, follow the Splunk Search Tutorial and you'll quickly learn how to search on Splunk.
Anyway, if you have only to search some strings, you can put them in the main search using the boolean operator to correlate them, remembering that the AND operator is by default.
So if you want to find all events containing the strings you define, you could try to run:
index=your_index host=your_host ("CONFIG, commit* but not Succeeded" OR "snmpd.log")
| table _time host TS_AgentThen you can add the time conditions, but, as I said, follow the Search Tutotial.
At least, don't use the "-" char in field names because Splunk uses it as subtraction operator, use underscore "_".
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i @Bastiaan,
at first, indicate alway the index you're using the main search.
then, you used a wrong syntax, you cannor use the case function i the main search but only in eval or stats.
Then I don't understand the conditions you're trying to set, could you better describe them?
Then in the first part of the search you didn't closed the parenthesis: it's not possible to close a parenthesis after a pipe as you did.
I hint to follow the Splunk Search Tutorial, to understand how to create a search in Splunk and its rules: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see I have a lot to learn.
The essence is: I want to get three things from the log of host "hostname". First, "CONFIG, commit* but not Succeeded", I also want "snmpd.log" messages and I want to get "TS-Agent" from the logging.
But from the last one I'm not interested in what happens between 01:00 and 05:00 since they give errors during that time frame that I don't care about.
The other two filter/searches I want to get 24/7 messages from.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Bastiaan,
as I said, follow the Splunk Search Tutorial and you'll quickly learn how to search on Splunk.
Anyway, if you have only to search some strings, you can put them in the main search using the boolean operator to correlate them, remembering that the AND operator is by default.
So if you want to find all events containing the strings you define, you could try to run:
index=your_index host=your_host ("CONFIG, commit* but not Succeeded" OR "snmpd.log")
| table _time host TS_AgentThen you can add the time conditions, but, as I said, follow the Search Tutotial.
At least, don't use the "-" char in field names because Splunk uses it as subtraction operator, use underscore "_".
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks, I will get to it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Bastiaan,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
Video | Welcome Back to Smartness, Pedro
Detector Best Practices: Static Thresholds
Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...
