Splunk Search

Splunk search string to send an email alert when the TNS Ping is greater than 5000msecs

Isaias_Garcia
Path Finder

Hello-

I have this log in Splunk:

2014-01-22 17:18:11,509 INFO ben.benactiond: Event:'db1xxx-yyy.xxxx|LISTENER_db0100000-dr.xxxxx|/OEM/Alert|3|"OEM Event Listener response to a TNS ping is 450 msecs. Detail in OEM at //xxxx.xxxx:xxxxx/redirect?pageType=sdk-core-event-console-detailEvent&issueID=F071CFED50B45B79E043E403490A20CB"' Trigger:OEMAlert_Warning Action:email Status:SUCCESS

Question: I want Splunk to send an email alert everytime the TNS Ping is greater than 5000msecs. What search strings should I use? Thank you in advance

Tags (1)
0 Karma
1 Solution

lguinn2
Legend

Try this

yoursearchhere
| rex "TNS ping is (?<TNSping>\d+) msecs"
| where TNSping > 5000

and set the alert to trigger if number of events is greater than zero.

View solution in original post

Isaias_Garcia
Path Finder

Hi Iguinn/linu

Thanks for your responses..Im still getting "greater than 500" value instead of "5000" after fixing all the search strings.

This is the search string I used per your suggestions:

OEM Event Listener response to a TNS ping is | rex "TNS ping is (?\d+) msecs" | convert num(TNSping) as TNSping | where TNSping > "5,000"

However the results are still "greater than 500"

2014-02-03 09:26:18,913 INFO zen.zenactiond: Event:'xxxxx-xxxxx.xxxxx|LISTENERxxxxx-xxxxx.xxxxx|/OEM/Alert|3|"OEM Event Listener response to a TNS ping is 650 msecs. 2014-02-03 09:26:18,794 INFO zen.zenactiond: Event:'xxxxx-xxxxx.xxxxx|LISTENERxxxxx-xxxxx.xxxxx|/OEM/Alert|3|"OEM Event Listener response to a TNS ping is 650 msecs.

Please advise. I really appreciate your help on this,. Thanks

0 Karma

lguinn2
Legend

As @linu1988 said - what happened to the field? Also, TNSping is not a string and you can't do > for strings anyway, so your where command will not work. Try this, carefully:

OEM Event Listener response to a TNS ping is
| rex "TNS ping is (?<TNSping>\d+) msecs"
| where TNSping > 5000

0 Karma

linu1988
Champion

where did the field go?

| rex "TNS ping is (?\d+) msecs"

0 Karma

Isaias_Garcia
Path Finder

Hi Iguinn -

Thank you.I appreciate your help..However, I'm still getting the same > 500 results instead of > 5000 after trying your suggestions:(
Please advise

0 Karma

lguinn2
Legend

Let's test by running this search:

yoursearchhere
| rex "TNS ping is (?<TNSping>\d+) msecs"
| convert num(TNSping) as TNSping

After the search runs, see if you can find the TNSping field in the sidebar on the left. (You may have to run the search in "verbose" mode.)

Click on the field name in the sidebar and add TNSping to the "selected fields." Now the TNSping value should show up beneath each event, along with the host, source and sourcetype. Does the value of TNSping make sense?

Isaias_Garcia
Path Finder

Hi Iguinn-

Thanks for your help.I tried your suggestion by doing this seach string:

"OEM Event Listener response to a TNS ping is | rex "TNS ping is (?\d+) msecs" | where TNSping > 5000"

And I got this results:
2014-01-23 09:04:07,401 INFO xxx.xxx: Event:'xxxx|LISTENER_xxxxx|/xxx/xxx3|"OEM Event Listener response to a TNS ping is 540 msecs.....

2014-01-23 08:09:04,866 INFO zxxx.xxx: Event:'xxxx|LISTENER_xxxxx|/xxx/xxx3|"OEM Event Listener response to a TNS ping is 740 msecs. ....

2014-01-23 02:13:42,328 INFO xxx.xxx: Event:'xxxx|LISTENER_xxxxx|/xxx/xxx3|"OEM Event Listener response to a TNS ping is 530 msecs.....

It seems working, however, what I am getting is a TNS ping that is greater than 500 and not 5000. Perhaps it just needs some tweaking on the search. Please advise.

0 Karma

lguinn2
Legend

@linu1988 - good eye - that is the problem with the search that @Isaias.Garcia is running!

0 Karma

linu1988
Champion

Got it now, you extracted the field as (?d+)

tnsping and you are comparing with TNSping which doesnt even exist. Makes sure you always use the exact field name 🙂

lguinn2
Legend

Huh. That's odd. But maybe we should make sure that TNSping is a number, like this

yoursearchhere
| rex "TNS ping is (?<TNSping>\d+) msecs"
| convert num(TNSping) as TNSping
| where TNSping > 5000

0 Karma

lguinn2
Legend

Try this

yoursearchhere
| rex "TNS ping is (?<TNSping>\d+) msecs"
| where TNSping > 5000

and set the alert to trigger if number of events is greater than zero.

Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...