Splunk Search
Highlighted

SysLog based Alert

Builder

I am trying to set up an Alert for syslog (udp:514) - and this is the search condition I use:

sourcetype="syslog" TCP_DST_PORT="31621" | eval timeStamp=date_year."-".date_month."-".date_mday.":".date_hour.":".date_minute.":".date_second | table timeStamp, count(eval(TCP_TYPE="TCP_Client_Accepted")) as F5_ACCEPT, count(eval(TCP_TYPE="TCP_Node_Connected")) as F5_CONNECT | eval F5_MISSED=F5_ACCEPT-F5_CONNECT  | WHERE F5_MISSED>2

Note that syslog is the log in Splunk that captures transmitted messages on udp:514



Note also that date _ year, date _ month, date _ mday, date _ hour, date _ minute, date _ second are all populated




This is what I expect in the CSV alert that in the email.

|| YYYY-MM-DD:HH:MM:SS || F5_ ACCEPT || F5CONNECT || F5 MISSED ||

But that search does not currently work. Any suggestions ?

0 Karma
Highlighted

Re: SysLog based Alert

Influencer

Don't think you can use table like that.

What you're trying to do is get statistics for your F5s connect rate per second

The field _time is easier to manipulate than all the date parts - you can format the _time field later.

sourcetype="syslog" TCP_DST_PORT="31621" 
| bin _time span=1s
| stats count(eval(TCP_TYPE=="TCP_Client_Accepted")) as F5_ACCEPT, count(eval(TCP_TYPE=="TCP_Node_Connected")) as F5_CONNECT by _time 
| eval F5_MISSED=F5_ACCEPT-F5_CONNECT  
| WHERE F5_MISSED>2
| eval timestamp=strftime(_time),"%%Y-%m-%d:%H:%M:%S")
| table timestamp F5_ACCEPT F5_CONNECT F5_MISSED

Does the above search show the results you need ?

View solution in original post

Highlighted

Re: SysLog based Alert

Builder

that worked out well. I guess I could have also tried using separate evals and then lump them together

yours looks much more profesional .. thank you

0 Karma