Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

add time constraint for web site avilability check condition

riqbal47010
Path Finder
‎11-27-2019 10:24 PM

Referring below query:

index=f5
| rex field=headers "Host: (?<host_url>[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,3})" 
| eval portal=if(cidrmatch("10.x0x.0.0/16",dest) OR cidrmatch("10.A0A.0.0/16",dest) ,"External_Portal","Internal_Portal") 
| stats count(eval(status="200")) AS "ok_status", count(eval(status="404" OR status="50*")) as "not_ok_status" by dest,host_url 
**| eval site_status = if("ok_status" < "not_ok_status" , "site_unavailable" , "site_available")** 
| search host_url="www.*.xxx.xx" | fields + dest host_url site_status

================================================
| eval site_status = if("ok_status" < "not_ok_status" , "site_unavailable" , "site_available")

At this stage I want to put the time constraint that if within 5 minutes, if("ok_status" < "not_ok_status") then the site is unavailable.

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎11-29-2019 07:11 AM 
index=f5 sourcetype=your_sourcetype "www.*" dest="10.x0x.*"
| rex field=headers "Host: (?<host_url>[^:]+?)" 
| stats count(eval(status="200")) AS ok_status, count(eval(status="404" OR status="50*")) as not_ok_status by dest,host_url 
| fields dest host_url ok_status not_ok_status
| eval site_status = if(ok_status < not_ok_status , "site_unavailable" , "site_available")

I modified it in various ways.how about this?

0 Karma
Reply

riqbal47010
Path Finder
‎11-27-2019 11:23 PM

Further to above I update the query as below:
index=f5
| rex field=headers "Host: (?[a-zA-Z0-9-.]+.[a-zA-Z]{2,3})"
| eval portal=if(cidrmatch("10.x0x.0.0/16",dest) OR cidrmatch("10.a0a.0.0/16",dest) ,"External_Portal","Internal_Portal") | search host_url="www.*.xx.xx" portal="External_Portal"
[ search index=f5 earliest=-5m latest=now
| rex field=headers "Host: (?[a-zA-Z0-9-.]+.[a-zA-Z]{2,3})"
| stats count(eval(status="200")) AS "ok_status", count(eval(status="404" OR status="50*")) as "not_ok_status" by dest,host_url
| eval site_status = if("ok_status" < "not_ok_status" , "site_unavailable" , "site_available")
| return site_status]
| fields site_status,dest,host_url

but no results...?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...