Splunk Search
Highlighted

Using Stats and Eval (and adding timestamps)

Builder

I am monitoring myserver logs file created by BEA using a universal forwarder on the BEA instance.

I want to create an alert that log indicates a failure to connect to CISCO.

The search string in my alert looks like this.

sourcetype="myserver" | search "Could not open connection with host: cisco1.cisco.net and port: 101" | stats count as connectionFailure  WHERE connectionFailure>0 | eval hourTimeStamp= date_hour.":".date_minute.":".date_second | fields hourTimeStamp,connectionFailure 

Note that datehour, dateminute and date_second are all populated.

However this search does not seem to be working and i reckon its because I am not using eval and stats in the right manner

Any suggestions on how to better this ?

The goal of the Alert is to do two things


i) Run this search every 5 minutes so that connectionFailures are detected (count how many)


ii) TimeStamp the event.





If I get the search, I can set the alert myself.

0 Karma
Highlighted

Re: Using Stats and Eval (and adding timestamps)

Legend

It is unclear what you need the timestamp for... Splunk knows the time period of the search and you do not need to create a timestamp. But I included a field that contains the time that the search started minus 5 minutes.

sourcetype="myserver"  "Could not open connection with host: cisco1.cisco.net and port: 101" 
| stats count as connectionFailure
| eval searchStartTime=relative_time(now(),"-5m")
| fieldFormat searchStart = strftime(searchStartTime,"$H:$M:$S")
Highlighted

Re: Using Stats and Eval (and adding timestamps)

Builder

| eval searchStartTime=relativetime(now,"-5,")

are you sure this is allowed ? Splunk says it does not know of a relativetime() method

0 Karma
Highlighted

Re: Using Stats and Eval (and adding timestamps)

Splunk Employee
Splunk Employee

We are close, it is :

eval searchStartTime=relative_time(now(), "-5m")

other eval commandes:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

0 Karma
Highlighted

Re: Using Stats and Eval (and adding timestamps)

Legend

Sorry - melting saw my error... my typing really stunk on that one...

0 Karma

Re: Using Stats and Eval (and adding timestamps)

Splunk Employee
Splunk Employee

It looks like you are trying to use eval for concatentation, that would look like:

... | eval hourTimeStamp= date_hour + ":" + date_minute + ":" +date_second |