Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

group fields in search command

hjwang
Contributor
‎12-13-2010 02:40 AM

i would like to send an alert when newwork interface is down more than 3 min. That is to say i wanna group the field named "Status" together which value is either up or down, and the time difference is within 3 min. Now if i use "%LINK-3-UPDOWN"... | transaction host, interface | where eventcont%2!=0 per 3 min. but it have problems when e.g. down event is at 2:50 and up is at 3:10 (scheduled search is at 0:00,3:00,6:00...) even covering the search time range still exists this problem. any other best way to do this? thanks and regards,

Tags (2)
0 Karma
Reply

mw
Splunk Employee
Splunk Employee
‎12-13-2010 03:31 AM

In general you'd want some overlap in your search. So, if your search runs at 0:00, 3:00, and 6:00, you wouldn't want the search to only look back 3 hours. You'd want to look back maybe 3 hours 15 minutes.

However, that won't completely solve your problem because the outage could be days long. Maybe you could add something like this if there's no up event?

... | eval do_alert=if(now() - _time >= 180, "True", "False")

And then on the schedule set the alert to a custom condition of: 

search do_alert=True
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...