I am monitoring myserver logs file created by BEA using a universal forwarder on the BEA instance.
I want to create an alert that log indicates a failure to connect to CISCO.
The search string in my alert looks like this.
sourcetype="myserver" | search "Could not open connection with host: cisco1.cisco.net and port: 101" | stats count as connectionFailure WHERE connectionFailure>0 | eval hourTimeStamp= date_hour.":".date_minute.":".date_second | fields hourTimeStamp,connectionFailure
Note that date_hour, date_minute and date_second are all populated.
However this search does not seem to be working and i reckon its because I am not using eval and stats in the right manner
Any suggestions on how to better this ?
The goal of the Alert is to do two things
i) Run this search every 5 minutes so that connectionFailures are detected (count how many)
ii) TimeStamp the event.
If I get the search, I can set the alert myself.
It is unclear what you need the timestamp for... Splunk knows the time period of the search and you do not need to create a timestamp. But I included a field that contains the time that the search started minus 5 minutes.
sourcetype="myserver" "Could not open connection with host: cisco1.cisco.net and port: 101" | stats count as connectionFailure | eval searchStartTime=relative_time(now(),"-5m") | fieldFormat searchStart = strftime(searchStartTime,"$H:$M:$S")