Splunk Search

Time-based Lookup Configuration not quite working?

BlueSocket
Communicator

Dear All,

I have a set of error events that are generated when an issue happens in our environment. I run an alert every day to see if there are any events over the previous day and send a table of the results to an administrator.

The problem now is that the administrator has got annoyed with Splunk sending similar events every day and wants to set an event to be "Acknowledged" for a certain amount of time (7 days). If the error occurs again in those 7 days, we do not want to get an email, but we do want to get an email if a different issue occurs.

So... What I have done is to set up a [status] lookup with the following field definition:

"host","Error_Message","Error_Status","Time_Acknowledged"

The idea is that an administrator then uses a Workflow action to output the field data into the lookup, such as:

server1,"I am broken","Acknowledged",07/31/2017 12:04:34

The Workflow action works and I can see the lookup table being added to. So I see the following in the status.csv file:

"host","Error_Message","Error_Status","Time_Acknowledged"
server1,"I am broken","Acknowledged",05/31/2017 12:04:34

The definition of the lookup in the props.conf is:

[status]
default_match = Unknown
filename = status.csv
max_matches = 1
min_matches = 1
time_field = Time_Acknowledged
time_format = %m/%d/%y %H:%M:%S
max_offset_secs = 604800
min_offset_secs = 0

And in the props.conf I put:

[snmp]
LOOKUP-status = status.csv Error_Message AS SNMP_Trap_Message host AS host OUTPUTNEW Error_Status AS Error_Status Time_Acknowledged AS Time_Acknowledged

However, when I run the search WITHIN 7 days of 05/31/2017 12:04:34:

index=main sourcetype=snmp earliest=-1d | table _time, host, Error_Message, Error_Status, Time_Acknowledged

I would expect to see:

06/01/2017 09:23:45    server1    I am broken    Acknowledged    05/31/2017 12:04:34
06/01/2017 10:11:34    server2    I am not well   Unknown             Unknown

However, I see the following:

06/01/2017 09:23:45    server1    I am broken    Unknown             Unknown
06/01/2017 10:11:34    server2    I am not well   Unknown             Unknown

It looks like the Time-based Lookup is not functioning at all.

Does anyone know what I am doing wrong, please?

Thanks in advance,
BlueSocket

0 Karma
1 Solution

BlueSocket
Communicator

Hi,

This is probably bad form, but I am providing an answer to my own question.

I realised my mistake when I re-read the configuration. Most of the stuff was working correctly, but the time_format configuration was wrong:

time_format = %m/%d/%y %H:%M:%S

%y means "2 digit date" and I was providing a "4-digit date". When I changed this to the following, it started to work:

time_format = %m/%d/%Y %H:%M:%S

I hope that this helps someone else!

View solution in original post

BlueSocket
Communicator

Hi,

This is probably bad form, but I am providing an answer to my own question.

I realised my mistake when I re-read the configuration. Most of the stuff was working correctly, but the time_format configuration was wrong:

time_format = %m/%d/%y %H:%M:%S

%y means "2 digit date" and I was providing a "4-digit date". When I changed this to the following, it started to work:

time_format = %m/%d/%Y %H:%M:%S

I hope that this helps someone else!

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...