I am monitoring myserver logs file created by BEA using a universal forwarder on the BEA instance.
I want to create an alert that log indicates a failure to connect to CISCO.
The search string in my alert looks like this.
sourcetype="myserver" | search "Could not open connection with host: cisco1.cisco.net and port: 101" | stats count as connectionFailure WHERE connectionFailure>0 | eval hourTimeStamp= date_hour.":".date_minute.":".date_second | fields hourTimeStamp,connectionFailure
Note that datehour, dateminute and date_second are all populated.
However this search does not seem to be working and i reckon its because I am not using eval and stats in the right manner
Any suggestions on how to better this ?
The goal of the Alert is to do two things
i) Run this search every 5 minutes so that connectionFailures are detected (count how many)
ii) TimeStamp the event.
If I get the search, I can set the alert myself.
It is unclear what you need the timestamp for... Splunk knows the time period of the search and you do not need to create a timestamp. But I included a field that contains the time that the search started minus 5 minutes.
sourcetype="myserver" "Could not open connection with host: cisco1.cisco.net and port: 101" | stats count as connectionFailure | eval searchStartTime=relative_time(now(),"-5m") | fieldFormat searchStart = strftime(searchStartTime,"$H:$M:$S")
It looks like you are trying to use eval for concatentation, that would look like:
... | eval hourTimeStamp= date_hour + ":" + date_minute + ":" +date_second |