cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
nrodrigues
Engager
Member since: ‎04-17-2018
‎01-30-2021
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎04-17-2018
Activity Feed
View All

Re: What is the difference between alert and repor...

by in Alerting
‎01-25-2021 06:42 AM
1 Karma
‎01-25-2021 06:42 AM
1 Karma
After many test, my saved search is still in mode "Report" with only "alert.track=1". An alert type seems to be consisted of 3 points: A cron schedule A trigger condition A trigger actions In my case, here is the options used with the endpoint API "POST /servicesNS/-/-/saved/searches" to get an alert type: "is_scheduled": 1, "alert_type": "number of events" "alert_comparator": "greater than", "alert_threshold": 0, "alert.track": 1 If I remove one of these options, I get a report saved search instead of alert. With the configuration file (savedsearches.conf), the options are "cron_schedule, enableSched, counttype, relation, alert.track". ... View more

How to returns 0 or null if no results with tstats...

by in Splunk Search
‎01-08-2020 09:07 AM
‎01-08-2020 09:07 AM
First of all, I apologize if I missed the answer somewhere and for my bad english. I try to supervise my hosts, indexes and sourcetypes over time with percentage. And I also try to make it dynamic so without keep update a csv file. Here is, the result expected: _time host index sourcetype lasttime count perc_count total_events 01/01/2020 fwd01 firewall pf:filterlog 1577919599 10701461 2 469641743 01/01/2020 inflin01 linux auditd 0 0 0 0 02/01/2020 fwd01 firewall pf:filterlog 1578005999 65224250 14 469641743 02/01/2020 inflin01 linux auditd 0 0 0 0 03/01/2020 fwd01 firewall pf:filterlog 1578092399 66539689 14 469641743 03/01/2020 inflin01 linux auditd 0 0 0 0 04/01/2020 fwd01 firewall pf:filterlog 1578178799 38504400 8 469641743 04/01/2020 inflin01 linux auditd 0 0 0 0 05/01/2020 fwd01 firewall pf:filterlog 1578265199 40818288 9 469641743 05/01/2020 inflin01 linux auditd 0 0 0 0 06/01/2020 fwd01 firewall pf:filterlog 1578351599 89271070 19 469641743 06/01/2020 inflin01 linux auditd 0 0 0 0 07/01/2020 fwd01 firewall pf:filterlog 1578437999 88244234 19 469641743 07/01/2020 inflin01 linux auditd 0 0 0 0 08/01/2020 fwd01 firewall pf:filterlog 1578500836 70338351 5 469641743 08/01/2020 inflin01 linux auditd 0 0 0 0 My search is something like that (on the last 7 days): | tstats latest(_time) as lasttime count where index=* by _time host index sourcetype span=1d | eventstats sum(count) as total_events by host index sourcetype | eval perc_count=round(count*100/total_events,0) But tstats returns me only the rows with 'pf:filterlog' as sourcetype because it's the only one which have data. The idea is to have conditions on perc_count <=2% for example or count=0 in order to raise an alert. I have already a search which works perfectly with 'lasttime' where each host or index or sourcetype (or all 3 at the same time) with custom threshold. So here, I want to identify the log decreases or nothing. How to tell to tstats to returns 0 value if it have 0 result over time? Or any tricks with another commands to get the final results? I also already tried the append command but with the host field is complicated to merge rows with identical host/index/sourcetype. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-30-2021 06:26 AM
Karma from
View All