Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- SysLog based Alert
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to set up an Alert for syslog (udp:514) - and this is the search condition I use:
sourcetype="syslog" TCP_DST_PORT="31621" | eval timeStamp=date_year."-".date_month."-".date_mday.":".date_hour.":".date_minute.":".date_second | table timeStamp, count(eval(TCP_TYPE="TCP_Client_Accepted")) as F5_ACCEPT, count(eval(TCP_TYPE="TCP_Node_Connected")) as F5_CONNECT | eval F5_MISSED=F5_ACCEPT-F5_CONNECT | WHERE F5_MISSED>2
Note that syslog is the log in Splunk that captures transmitted messages on udp:514
Note also that date _ year, date _ month, date _ mday, date _ hour, date _ minute, date _ second are all populated
This is what I expect in the CSV alert that in the email.
|| YYYY-MM-DD:HH:MM:SS || F5_ ACCEPT || F5_CONNECT || F5_ MISSED ||
But that search does not currently work. Any suggestions ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't think you can use table like that.
What you're trying to do is get statistics for your F5s connect rate per second
The field _time is easier to manipulate than all the date parts - you can format the _time field later.
sourcetype="syslog" TCP_DST_PORT="31621"
| bin _time span=1s
| stats count(eval(TCP_TYPE=="TCP_Client_Accepted")) as F5_ACCEPT, count(eval(TCP_TYPE=="TCP_Node_Connected")) as F5_CONNECT by _time
| eval F5_MISSED=F5_ACCEPT-F5_CONNECT
| WHERE F5_MISSED>2
| eval timestamp=strftime(_time),"%%Y-%m-%d:%H:%M:%S")
| table timestamp F5_ACCEPT F5_CONNECT F5_MISSED
Does the above search show the results you need ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't think you can use table like that.
What you're trying to do is get statistics for your F5s connect rate per second
The field _time is easier to manipulate than all the date parts - you can format the _time field later.
sourcetype="syslog" TCP_DST_PORT="31621"
| bin _time span=1s
| stats count(eval(TCP_TYPE=="TCP_Client_Accepted")) as F5_ACCEPT, count(eval(TCP_TYPE=="TCP_Node_Connected")) as F5_CONNECT by _time
| eval F5_MISSED=F5_ACCEPT-F5_CONNECT
| WHERE F5_MISSED>2
| eval timestamp=strftime(_time),"%%Y-%m-%d:%H:%M:%S")
| table timestamp F5_ACCEPT F5_CONNECT F5_MISSED
Does the above search show the results you need ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that worked out well. I guess I could have also tried using separate evals and then lump them together
yours looks much more profesional .. thank you
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
