Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

group fields in search command

hjwang
Contributor
‎12-13-2010 02:40 AM

i would like to send an alert when newwork interface is down more than 3 min. That is to say i wanna group the field named "Status" together which value is either up or down, and the time difference is within 3 min. Now if i use "%LINK-3-UPDOWN"... | transaction host, interface | where eventcont%2!=0 per 3 min. but it have problems when e.g. down event is at 2:50 and up is at 3:10 (scheduled search is at 0:00,3:00,6:00...) even covering the search time range still exists this problem. any other best way to do this? thanks and regards,

Tags (2)
0 Karma
Reply

mw
Splunk Employee
Splunk Employee
‎12-13-2010 03:31 AM

In general you'd want some overlap in your search. So, if your search runs at 0:00, 3:00, and 6:00, you wouldn't want the search to only look back 3 hours. You'd want to look back maybe 3 hours 15 minutes.

However, that won't completely solve your problem because the outage could be days long. Maybe you could add something like this if there's no up event?

... | eval do_alert=if(now() - _time >= 180, "True", "False")

And then on the schedule set the alert to a custom condition of: 

search do_alert=True
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...