Splunk Search

Search with limited time clause

Bastiaan
Engager

Hello all,

I'm quite new to the wonderful world of Splunk, but not new to monitoring or IT in general. We are optimizing our operations processes and I'd like to get a state of the last 24h of our environment, specifically our Firewall status. It sends all it's logging to Splunk and I've created the following filter to find all the errors, but it's not working:

host="hostname" AND ( CASE(CONFIG) CASE(commit*) NOT Succeeded ) OR "snmpd.log due to log overflow" OR ( ("TS-Agent" AND "connect-agent-failure") | where NOT (date_hour >= 1 AND date_hour < 5) )

It gives me back: "Error in 'search' command: Unable to parse the search: unbalanced parentheses."

The last part of the filer (TS-Agent and so on) has to be filtered because I wish to exclude a timeframe from the results (reboot schedule of said servers), however, the other searches need to be from all the time (e.g. the last 24h or whatever  I set).

I think I'm doing something wrong or things just don't work like I expect. I hope you folks can help me out or point me in the right direction. I'd like to get all the errors on one tile so I can see if I can get my coffee in the morning slowly or fast 😉 Many thanks in advance!

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Bastiaan,

as I said, follow the Splunk Search Tutorial and you'll quickly learn how to search on Splunk.

Anyway, if you have only to search some strings, you can put them in the main search using the boolean operator to correlate them, remembering that the AND operator is by default.

So if you want to find all events containing the strings you define, you could try to run:

index=your_index  host=your_host ("CONFIG, commit* but not Succeeded" OR "snmpd.log")
| table _time host TS_Agent

Then you can add the time conditions, but, as I said, follow the Search Tutotial.

At least, don't use the "-" char in field names because Splunk uses it as subtraction operator, use underscore "_".

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

@Bastiaan,

at first, indicate alway the index you're using the main search.

then, you used a wrong syntax, you cannor use the case function i the main search but only in eval or stats.

Then I don't understand the conditions you're trying to set, could you better describe them?

Then in the first part of the search you didn't closed the parenthesis: it's not possible to close a parenthesis after a pipe as you did.

I hint to follow the Splunk Search Tutorial, to understand how to create a search in Splunk and its rules: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial

Ciao.

Giuseppe

0 Karma

Bastiaan
Engager

I see I have a lot to learn.

The essence is: I want to get three things from the log of host "hostname". First, "CONFIG, commit* but not Succeeded", I also want "snmpd.log" messages and I want to get "TS-Agent" from the logging.

But from the last one I'm not interested in what happens between 01:00 and 05:00 since they give errors during that time frame that I don't care about.

The other two filter/searches I want to get 24/7 messages from.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Bastiaan,

as I said, follow the Splunk Search Tutorial and you'll quickly learn how to search on Splunk.

Anyway, if you have only to search some strings, you can put them in the main search using the boolean operator to correlate them, remembering that the AND operator is by default.

So if you want to find all events containing the strings you define, you could try to run:

index=your_index  host=your_host ("CONFIG, commit* but not Succeeded" OR "snmpd.log")
| table _time host TS_Agent

Then you can add the time conditions, but, as I said, follow the Search Tutotial.

At least, don't use the "-" char in field names because Splunk uses it as subtraction operator, use underscore "_".

Ciao.

Giuseppe

0 Karma

Bastiaan
Engager

Many thanks, I will get to it!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Bastiaan,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...