Splunk Search

Showing/counting event that there's not

fabrizioalleva
Path Finder

Hi all,

we've a procedure that's writes index only where there's a KO:

So I've a sequence of events like these:

DATE,RESPONSE

2024/05/24 11:04:00,1

2024/05/24 11:05:00,1

2024/05/24 11:06:00,1

2024/05/24 11:08:00,1

2024/05/24 11:09:00,1

2024/05/24 11:10:00,1

2024/05/24 11:11:00,1

2024/05/24 11:13:00,1

2024/05/24 11:14:00,1

As you can se between

2024/05/24 11:06:00 and 2024/05/24 11:08:00

and

2024/05/24 11:11:00 2024/05/24 11:12:00 , there's no a KO

What we want do is to produce a full output like this:

2024/05/24 11:04:00,1

2024/05/24 11:05:00,1

2024/05/24 11:06:00,1

2024/05/24 11:07:00,0

2024/05/24 11:08:00,1

2024/05/24 11:09:00,1

2024/05/24 11:10:00,1

2024/05/24 11:11:00,1

2024/05/24 11:12:00,0

2024/05/24 11:13:00,1

2024/05/24 11:14:00,1

In order to highlight the service's up/down. I've tried with a lot of method but I cannot obtain a similiar result.

 

Any suggestion ?

 

Thanks Fabrizio

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @fabrizioalleva ,

if you need to send an alert, you could run a search like the following every 5 minutes:

index=myindex eariest=-5m@m latest=@m
| stats count BY APP
| where count<5

instead in a dashboard panel, you can use timechart.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @fabrizioalleva,

I suppose that you already extracted the field with the status=1.

In this case you could run

<your_search>
| timechart span=1m count BY status

Ciao.

Giuseppe

0 Karma

fabrizioalleva
Path Finder

Thanks,

@gcusello, I already tried with time chart, but if I've a lot of application which work in this way, I'm not able to work with timechart, also because if I wanto to work with data after timechart I cannot.

Maybe better so:

DATE,APP

2024/05/24 11:04:00, APPA

2024/05/24 11:05:00,APPB

2024/05/24 11:06:00,APPA

2024/05/24 11:08:00,APPB

2024/05/24 11:09:00,APPA

2024/05/24 11:10:00,APPB

2024/05/24 11:11:00,APPA

2024/05/24 11:13:00,APPB

2024/05/24 11:14:00,APPA

So I've to highlight this condition of "flapping" in 10 minutes. If The app is present, it means that it's not respondig.

index=myindex
| timechart span=1m by APP

produces:

_time, APPA, APPB

And what I want to produce

_time, APPA, APPB

2024/05/24 11:04:00, 1,0

2024/05/24 11:05:00, 0,1

2024/05/24 11:06:00, 1,0

2024/05/24 11:07:00,0,0

2024/05/24 11:08:00, 0,1

2024/05/24 11:09:00, 1,0

2024/05/24 11:10:00, 0,1

2024/05/24 11:11:00, 1,0

2024/05/24 11:12:00,0,0

2024/05/24 11:13:00, 0,1

2024/05/24 11:14:00, 1,0

But I want to work with this output in order to send alert to other application.

Thanks

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @fabrizioalleva ,

if you need to send an alert, you could run a search like the following every 5 minutes:

index=myindex eariest=-5m@m latest=@m
| stats count BY APP
| where count<5

instead in a dashboard panel, you can use timechart.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @fabrizioalleva ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated :winking_face:

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...