Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About pdreef
pdreef
Explorer
Member since:
12-23-2020
05-22-2021
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 12-23-2020 |
Activity Feed
- Posted Re: Setting duration in search and save as an alert on Alerting. 01-13-2021 09:29 AM
- Posted Re: Setting duration in search and save as an alert on Alerting. 01-12-2021 12:22 PM
- Karma How to write condition for yvreddy90. 01-11-2021 12:39 PM
- Posted Setting duration in search and save as an alert on Alerting. 01-11-2021 12:37 PM
- Posted Re: Creating an alert that mointors specific entries of an index compared to entire index on Alerting. 01-04-2021 12:21 PM
- Posted Re: Creating an alert that mointors specific entries of an index compared to entire index on Alerting. 01-04-2021 11:07 AM
- Posted Re: Creating an alert that mointors specific entries of an index compared to entire index on Alerting. 12-23-2020 07:12 PM
- Posted Creating an alert that mointors specific entries of an index compared to entire index on Alerting. 12-23-2020 10:52 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
01-12-2021
12:22 PM
Yes, that worked. Thank you. I tired had and extra "h" and this is why it wasn't working.
... View more
01-11-2021
12:37 PM
We are trying to set an alert for a sub_A to trigger if no data is sent in 1 hour duration. The previous splunk expert wrote the search below, and i was under the impression to change the "+24h@h" to "1h@h" and "86400", to 3600 would change the parameter of the alert. | where now()>relative_time(LastFileXfer, "+24h@h") | eval DaysOld=round((now() - round(LastFileXfer, 0))/86400, 2) Does this need to be changed when saving the alert in menu section of the alert? -----Thank you----- ------Search------ index=dart_index source=OPS_NIPR_DART_DMZ_IncomingOutgoing status_message="OK" earliest=-48h@h subscription_name IN ("Sub_A") | eval DeliveryComplete=strptime(delivery_complete, "%Y-%m-%d %H:%M:%S") | stats values(src_host) as Source, values(dest_host) as Destination, values(login_name) as DataOwner, values(host_name) as DartNode, values(xfer_type) as XferMethod, min(DeliveryComplete) as EarliestFileXfer, max(DeliveryComplete) as LastFileXfer by subscription_name | where now()>relative_time(LastFileXfer, "+24h@h") | eval DaysOld=round((now() - round(LastFileXfer, 0))/86400, 2) | eval EarliestFileXfer=strftime(EarliestFileXfer, "%Y-%m-%d %H:%M:%S") | eval LastFileXfer=strftime(LastFileXfer, "%Y-%m-%d %H:%M:%S") | table subscription_name Source Destination DataOwner DartNode XferMethod EarliestFileXfer LastFileXfer DaysOld
... View more
Labels
- Labels:
-
alert action
-
alert condition
01-04-2021
12:21 PM
Thanks for the help and assistance. The solution is as follows, Subscription_name OUT (" sub_A | sub_B")
... View more
01-04-2021
11:07 AM
The NOT IN () did not work in the search, was given the error code below. Error in 'search' command: Unable to parse the search: Comparator 'IN' has an invalid term on the left hand side: NOT.
... View more
12-23-2020
07:12 PM
Yes, this worked.! I imagine you can use an OUT for entries you do not want to see in your alert. I will play around and see if that is possible. Thank you for taking the time to help me and my team.
... View more
12-23-2020
10:52 AM
index=dart_index source=DMZ_IncomingOutgoing status_message="OK" earliest=-48h@h | eval DeliveryComplete=strptime(delivery_complete, "%Y-%m-%d %H:%M:%S") | stats values(src_host) as Source, values(dest_host) as Destination, values(login_name) as DataOwner, values(host_name) as DartNode, values(xfer_type) as XferMethod, min(DeliveryComplete) as EarliestFileXfer, max(DeliveryComplete) as LastFileXfer by subscription_name | where now()>relative_time(LastFileXfer, "+24h@h") | eval DaysOld=round((now() - round(LastFileXfer, 0))/86400, 2) | eval EarliestFileXfer=strftime(EarliestFileXfer, "%Y-%m-%d %H:%M:%S") | eval LastFileXfer=strftime(LastFileXfer, "%Y-%m-%d %H:%M:%S") | table subscription_name Source Destination DataOwner DartNode XferMethod EarliestFileXfer LastFileXfer DaysOld I have search that was created by a previous developer and it searches the entire index labeled " subscription_name" The problem is we only want to monitor a certain number of subscrption compared to the entire table of subscription in our DB.
... View more
Labels
- Labels:
-
alert action
-
alert condition
