Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

group fields in search command

hjwang
Contributor
‎12-13-2010 02:40 AM

i would like to send an alert when newwork interface is down more than 3 min. That is to say i wanna group the field named "Status" together which value is either up or down, and the time difference is within 3 min. Now if i use "%LINK-3-UPDOWN"... | transaction host, interface | where eventcont%2!=0 per 3 min. but it have problems when e.g. down event is at 2:50 and up is at 3:10 (scheduled search is at 0:00,3:00,6:00...) even covering the search time range still exists this problem. any other best way to do this? thanks and regards,

Tags (2)
0 Karma
Reply

mw
Splunk Employee
Splunk Employee
‎12-13-2010 03:31 AM

In general you'd want some overlap in your search. So, if your search runs at 0:00, 3:00, and 6:00, you wouldn't want the search to only look back 3 hours. You'd want to look back maybe 3 hours 15 minutes.

However, that won't completely solve your problem because the outage could be days long. Maybe you could add something like this if there's no up event?

... | eval do_alert=if(now() - _time >= 180, "True", "False")

And then on the schedule set the alert to a custom condition of: 

search do_alert=True
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...