Hello-
I have this log in Splunk:
2014-01-22 17:18:11,509 INFO ben.benactiond: Event:'db1xxx-yyy.xxxx|LISTENER_db0100000-dr.xxxxx|/OEM/Alert|3|"OEM Event Listener response to a TNS ping is 450 msecs. Detail in OEM at //xxxx.xxxx:xxxxx/redirect?pageType=sdk-core-event-console-detailEvent&issueID=F071CFED50B45B79E043E403490A20CB"' Trigger:OEMAlert_Warning Action:email Status:SUCCESS
Question: I want Splunk to send an email alert everytime the TNS Ping is greater than 5000msecs. What search strings should I use? Thank you in advance
Try this
yoursearchhere
| rex "TNS ping is (?<TNSping>\d+) msecs"
| where TNSping > 5000
and set the alert to trigger if number of events is greater than zero.
Hi Iguinn/linu
Thanks for your responses..Im still getting "greater than 500" value instead of "5000" after fixing all the search strings.
This is the search string I used per your suggestions:
OEM Event Listener response to a TNS ping is | rex "TNS ping is (?\d+) msecs" | convert num(TNSping) as TNSping | where TNSping > "5,000"
However the results are still "greater than 500"
2014-02-03 09:26:18,913 INFO zen.zenactiond: Event:'xxxxx-xxxxx.xxxxx|LISTENERxxxxx-xxxxx.xxxxx|/OEM/Alert|3|"OEM Event Listener response to a TNS ping is 650 msecs. 2014-02-03 09:26:18,794 INFO zen.zenactiond: Event:'xxxxx-xxxxx.xxxxx|LISTENERxxxxx-xxxxx.xxxxx|/OEM/Alert|3|"OEM Event Listener response to a TNS ping is 650 msecs.
Please advise. I really appreciate your help on this,. Thanks
As @linu1988 said - what happened to the field? Also, TNSping is not a string and you can't do >
for strings anyway, so your where
command will not work. Try this, carefully:
OEM Event Listener response to a TNS ping is
| rex "TNS ping is (?<TNSping>\d+) msecs"
| where TNSping > 5000
where did the
| rex "TNS ping is (?
Hi Iguinn -
Thank you.I appreciate your help..However, I'm still getting the same > 500 results instead of > 5000 after trying your suggestions:(
Please advise
Let's test by running this search:
yoursearchhere
| rex "TNS ping is (?<TNSping>\d+) msecs"
| convert num(TNSping) as TNSping
After the search runs, see if you can find the TNSping field in the sidebar on the left. (You may have to run the search in "verbose" mode.)
Click on the field name in the sidebar and add TNSping to the "selected fields." Now the TNSping value should show up beneath each event, along with the host, source and sourcetype. Does the value of TNSping make sense?
Hi Iguinn-
Thanks for your help.I tried your suggestion by doing this seach string:
"OEM Event Listener response to a TNS ping is | rex "TNS ping is (?
And I got this results:
2014-01-23 09:04:07,401 INFO xxx.xxx: Event:'xxxx|LISTENER_xxxxx|/xxx/xxx3|"OEM Event Listener response to a TNS ping is 540 msecs.....
2014-01-23 08:09:04,866 INFO zxxx.xxx: Event:'xxxx|LISTENER_xxxxx|/xxx/xxx3|"OEM Event Listener response to a TNS ping is 740 msecs. ....
2014-01-23 02:13:42,328 INFO xxx.xxx: Event:'xxxx|LISTENER_xxxxx|/xxx/xxx3|"OEM Event Listener response to a TNS ping is 530 msecs.....
It seems working, however, what I am getting is a TNS ping that is greater than 500 and not 5000. Perhaps it just needs some tweaking on the search. Please advise.
@linu1988 - good eye - that is the problem with the search that @Isaias.Garcia is running!
Got it now, you extracted the field as (?
tnsping and you are comparing with TNSping which doesnt even exist. Makes sure you always use the exact field name 🙂
Huh. That's odd. But maybe we should make sure that TNSping is a number, like this
yoursearchhere
| rex "TNS ping is (?<TNSping>\d+) msecs"
| convert num(TNSping) as TNSping
| where TNSping > 5000
Try this
yoursearchhere
| rex "TNS ping is (?<TNSping>\d+) msecs"
| where TNSping > 5000
and set the alert to trigger if number of events is greater than zero.