I am trying to set up an Alert for syslog (udp:514) - and this is the search condition I use:
sourcetype="syslog" TCP_DST_PORT="31621" | eval timeStamp=date_year."-".date_month."-".date_mday.":".date_hour.":".date_minute.":".date_second | table timeStamp, count(eval(TCP_TYPE="TCP_Client_Accepted")) as F5_ACCEPT, count(eval(TCP_TYPE="TCP_Node_Connected")) as F5_CONNECT | eval F5_MISSED=F5_ACCEPT-F5_CONNECT | WHERE F5_MISSED>2
Note that syslog is the log in Splunk that captures transmitted messages on udp:514
Note also that date _ year, date _ month, date _ mday, date _ hour, date _ minute, date _ second are all populated
This is what I expect in the CSV alert that in the email.
|| YYYY-MM-DD:HH:MM:SS || F5_ ACCEPT || F5CONNECT || F5 MISSED ||
But that search does not currently work. Any suggestions ?
Don't think you can use table like that.
What you're trying to do is get statistics for your F5s connect rate per second
The field _time is easier to manipulate than all the date parts - you can format the _time field later.
| bin _time span=1s
| stats count(eval(TCP_TYPE=="TCP_Client_Accepted")) as F5_ACCEPT, count(eval(TCP_TYPE=="TCP_Node_Connected")) as F5_CONNECT by _time
| eval F5_MISSED=F5_ACCEPT-F5_CONNECT
| WHERE F5_MISSED>2
| eval timestamp=strftime(_time),"%%Y-%m-%d:%H:%M:%S")
| table timestamp F5_ACCEPT F5_CONNECT F5_MISSED
Does the above search show the results you need ?
View solution in original post
that worked out well. I guess I could have also tried using separate evals and then lump them together
yours looks much more profesional .. thank you