Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

group fields in search command

hjwang
Contributor
‎12-13-2010 02:40 AM

i would like to send an alert when newwork interface is down more than 3 min. That is to say i wanna group the field named "Status" together which value is either up or down, and the time difference is within 3 min. Now if i use "%LINK-3-UPDOWN"... | transaction host, interface | where eventcont%2!=0 per 3 min. but it have problems when e.g. down event is at 2:50 and up is at 3:10 (scheduled search is at 0:00,3:00,6:00...) even covering the search time range still exists this problem. any other best way to do this? thanks and regards,

Tags (2)
0 Karma
Reply

mw
Splunk Employee
Splunk Employee
‎12-13-2010 03:31 AM

In general you'd want some overlap in your search. So, if your search runs at 0:00, 3:00, and 6:00, you wouldn't want the search to only look back 3 hours. You'd want to look back maybe 3 hours 15 minutes.

However, that won't completely solve your problem because the outage could be days long. Maybe you could add something like this if there's no up event?

... | eval do_alert=if(now() - _time >= 180, "True", "False")

And then on the schedule set the alert to a custom condition of: 

search do_alert=True
0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...