Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

Using Stats and Eval (and adding timestamps)

asarolkar
Builder
‎09-27-2012 04:06 PM

I am monitoring myserver logs file created by BEA using a universal forwarder on the BEA instance.

I want to create an alert that log indicates a failure to connect to CISCO.

The search string in my alert looks like this. 

sourcetype="myserver" | search "Could not open connection with host: cisco1.cisco.net and port: 101" | stats count as connectionFailure  WHERE connectionFailure>0 | eval hourTimeStamp= date_hour.":".date_minute.":".date_second | fields hourTimeStamp,connectionFailure

Note that datehour, dateminute and date_second are all populated.

However this search does not seem to be working and i reckon its because I am not using eval and stats in the right manner

Any suggestions on how to better this ?

The goal of the Alert is to do two things


i) Run this search every 5 minutes so that connectionFailures are detected (count how many)


ii) TimeStamp the event.





If I get the search, I can set the alert myself.

0 Karma
Reply
Highlighted

Re: Using Stats and Eval (and adding timestamps)

lguinn2
Legend
‎09-27-2012 04:12 PM

It is unclear what you need the timestamp for... Splunk knows the time period of the search and you do not need to create a timestamp. But I included a field that contains the time that the search started minus 5 minutes.

sourcetype="myserver"  "Could not open connection with host: cisco1.cisco.net and port: 101" 
| stats count as connectionFailure
| eval searchStartTime=relative_time(now(),"-5m")
| fieldFormat searchStart = strftime(searchStartTime,"$H:$M:$S")
Reply
Highlighted

Re: Using Stats and Eval (and adding timestamps)

asarolkar
Builder
‎09-27-2012 04:24 PM

| eval searchStartTime=relativetime(now,"-5,")

are you sure this is allowed ? Splunk says it does not know of a relativetime() method

0 Karma
Reply
Highlighted

Re: Using Stats and Eval (and adding timestamps)

melting
Communicator
‎09-27-2012 04:59 PM

We are close, it is :

eval searchStartTime=relative_time(now(), "-5m")

other eval commandes:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

0 Karma
Reply
Highlighted

Re: Using Stats and Eval (and adding timestamps)

lguinn2
Legend
‎09-27-2012 09:34 PM

Sorry - melting saw my error... my typing really stunk on that one...

0 Karma
Reply
Highlighted

Re: Using Stats and Eval (and adding timestamps)

melting
Communicator
‎09-27-2012 04:19 PM

It looks like you are trying to use eval for concatentation, that would look like:

... | eval hourTimeStamp= date_hour + ":" + date_minute + ":" +date_second |
Reply
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.