Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

group fields in search command

hjwang
Contributor
‎12-13-2010 02:40 AM

i would like to send an alert when newwork interface is down more than 3 min. That is to say i wanna group the field named "Status" together which value is either up or down, and the time difference is within 3 min. Now if i use "%LINK-3-UPDOWN"... | transaction host, interface | where eventcont%2!=0 per 3 min. but it have problems when e.g. down event is at 2:50 and up is at 3:10 (scheduled search is at 0:00,3:00,6:00...) even covering the search time range still exists this problem. any other best way to do this? thanks and regards,

Tags (2)
0 Karma
Reply

mw
Splunk Employee
Splunk Employee
‎12-13-2010 03:31 AM

In general you'd want some overlap in your search. So, if your search runs at 0:00, 3:00, and 6:00, you wouldn't want the search to only look back 3 hours. You'd want to look back maybe 3 hours 15 minutes.

However, that won't completely solve your problem because the outage could be days long. Maybe you could add something like this if there's no up event?

... | eval do_alert=if(now() - _time >= 180, "True", "False")

And then on the schedule set the alert to a custom condition of: 

search do_alert=True
0 Karma
Reply
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
Top