Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About nanoo1
nanoo1
Loves-to-Learn Everything
Member since:
12-15-2021
02-09-2022
Community Statistics
| Posts | 14 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 12-15-2021 |
Activity Feed
- Posted Generate incident after 3 strike failure on Alerting. 12-20-2021 11:14 PM
- Posted Re: Splunk query to display count based on message on Splunk Search. 12-20-2021 08:51 AM
- Posted Re: Splunk query to display count based on message on Splunk Search. 12-20-2021 08:20 AM
- Posted Re: Splunk query to display count based on message on Splunk Search. 12-20-2021 06:44 AM
- Posted Splunk query to display count based on message on Splunk Search. 12-20-2021 01:46 AM
- Posted Re: Generete event after 3 consecutive failure on Splunk Search. 12-19-2021 11:14 PM
- Posted Re: Generete event after 3 consecutive failure on Splunk Search. 12-15-2021 08:25 PM
- Posted Re: Generete event after 3 consecutive failure on Splunk Search. 12-15-2021 08:22 AM
- Posted Re: Generete event after 3 consecutive failure on Splunk Search. 12-15-2021 08:07 AM
- Posted Re: Generete event after 3 consecutive failure on Splunk Search. 12-15-2021 07:12 AM
- Posted Re: Generete event after 3 consecutive failure on Splunk Search. 12-15-2021 06:37 AM
- Posted Re: Generete event after 3 consecutive failure on Splunk Search. 12-15-2021 06:32 AM
- Posted Re: Generete event after 3 consecutive failure on Splunk Search. 12-15-2021 06:14 AM
- Posted Generete event after 3 consecutive failure on Splunk Search. 12-15-2021 06:05 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
12-20-2021
11:14 PM
Hi, We are using servicenow which has been integrated with Splunk to generate incidents. The current query works fine for single failure but checking to generate incident if a log backup failed repeatedly for 3 times and then generate an incident. My current eval looks like: | eval itsi_entity=objectName, itsi_event_key=objectId, itsi_correlation_key=objectId, itsi_summary="Backup "+eventStatus+" for "+objectName, message=message, itsi_message="Alerting time: "+human_readable_time+"~~"+field1+"~~"+field2+"~~"+field3+"~~"+field4+"~~"+field5+"~~"+field6+"~~"+field7+"~~"+field8, itsi_impact=case( message like("%Failed log backup of Oracle Database%") ,"High", message like("%Failed backup of Oracle Database%"),"High", true(), "Medium"), itsi_urgency=case( message like("%Failed log backup of Oracle Database%"), "High", message like("%Failed backup of Oracle Database%"), "High", true(), "Medium") I need to have something in itsi_impact case statements for "failed log backup" failed for 3 times then generate high incident. I tried to keep eval and count fields in case statement but not working.
... View more
Labels
- Labels:
-
alert action
12-20-2021
08:51 AM
Just to add more here, here is complete search: | from datamodel:"Project_job_events"| where clusterName=="ITS07-SD02A" | where eventStatus=="Failure" | table _time,objectName,message,locationName,,eventStatus,objectType,objectId,_raw I did below for each fields, | eval json_field=split(_raw,",") | eval field1=mvindex(json_field,1) | eval itsi_entity=objectName, itsi_event_key=objectId, itsi_correlation_key=objectId, message=message, itsi_message="Alerting time: "+human_readable_time+"~~"+field1+"~~"+field2+"~~"+field3+"~~"+field4+"~~"+field5+"~~"+field6+"~~"+field7+"~~"+field8, itsi_impact=case( message like("%Failed project %") | ,"High" message like("%Failed Compliance Project%"),"High", true(), "Medium"), itsi_urgency=case( message like("%Failed project %"), "High", message like("%Failed Compliance project%"), "High", true(),"Medium") Requirement - For a message like "Failed project" , the search should basically count for 3 times failure and then send an alert. The below search works when we run index and so on but when try to keep in eval statement it does not. Moreover I tried keeping above itsi_impact and inside of that as well, still no luck
... View more
12-20-2021
08:20 AM
I apologize for lack of clarity here I have a field "objectName" which refers to different projects like IT256, IT345 and so on and "message" field which shows messages like "Failed project on <objectname>" . requirement is, say 3 times there had been a failure occurred and 4th time it should generate an incident. This applies to each of the objectName here is , ex IT256 failed 2 times- as the count is 2 -don't generate incident IT345 failed 4 times - as the count is greater than 3 generate an incident. Hope this helps.
... View more
12-20-2021
06:44 AM
I tried above and it is working but not I expected. | stats count As Total -> it is counting the number of occurrences like 2,1,1 | search Total > 2 -> it is displaying overall value For the below table if you see, and above query, it should not display any event as there is no data with >2 but it is displaying 4 Project Failed Count ITC029 2 ITC1034 1 ITC1035 1
... View more
12-20-2021
01:46 AM
Hi, I need a help with a query to display the count based on a particular message. For example, "Failed project on ABC", the query basically should read and count 2 and if it's greater than 2 , should display the number I tried something like this, but not working index="Project" | stats count(eval(message like("%Failed Project on%")) | where count>2 Could someone suggest way of achieving this? /nanoo1
... View more
Labels
- Labels:
-
count
12-15-2021
08:22 AM
I tried to add these lines itsi_impact=case( | stats count(eval(message like("%Failed log backup of Oracle Database%"))) values(message) as messages by objectName, | where count > 3, message like("%Failed log backup of Oracle Database%") ,"High", message like("%Failed backup of Oracle Database%"),"High", true(), "Medium") Getting an error "Error in 'eval' command: The expression is malformed. Expected ) " I tried to keep outside as well but eval is expecting= , any suggestion ?
... View more
12-15-2021
08:07 AM
One of the log event example time: 2021-12-15T15:54:17.725Z clusterName: ITSEDC08-SD02D eventStatus: Failure eventType: Backup id: f78ad415-6fde-49aa-b004-58cde954e783 message: Failed log backup of Oracle Database 'ITC1089'. objectId: OracleDatabase:::94dea975-e1fe-4684-8b7e-9e77e4b92e81 objectName: ITC1089 objectType: OracleDb
... View more
12-15-2021
07:12 AM
Here is my complete search: | from datamodel:"dataset_backup_job_events"| where clusterName=="ITSEDC07-SD02A" | where eventStatus=="Failure" | table _time,objectName,message,locationName,eventStatus,objectType,objectId,_raw | eval json_field=split(_raw,",") | eval field1=mvindex(json_field,1) | eval field1=replace(field1,"\"","") | eval field2=mvindex(json_field,2) | eval field2=replace(field2,"\"","") | eval field3=mvindex(json_field,3) | eval field3=replace(field3,"\"","") | eval field4=mvindex(json_field,4) | eval field4=replace(field4,"\"","") | eval field5=mvindex(json_field,5) | eval field5=replace(field5,"\"","") | eval field6=mvindex(json_field,6) | eval field6=replace(field6,"\"","") | eval field7=mvindex(json_field,7) | eval field7=replace(field7,"\"","") | eval field8=mvindex(json_field,8) | eval field8=replace(field8,"\"","") | eval field8=rtrim(field8,"}") | eval human_readable_time=strftime(_time, "%Y-%d-%m %H:%M") | eval itsi_entity=objectName, itsi_event_key=objectId, itsi_correlation_key=objectId, itsi_summary="Backup "+eventStatus+" for "+objectName, message=message, itsi_tag=mvappend("NowIT", "ITSI"), itsi_message="Alerting time: "+human_readable_time+"~~"+field1+"~~"+field2+"~~"+field3+"~~"+field4+"~~"+field5+"~~"+field6+"~~"+field7+"~~"+field8, itsi_impact=case( message like("%Failed log backup of Oracle Database%") ,"High", message like("%Failed backup of Oracle Database%"),"High", true(), "Medium"), itsi_urgency=case( message like("%Failed log backup of Oracle Database%"), "High", message like("%Failed backup of Oracle Database%"), "High", true(), "Medium") | rex mode=sed field=itsi_message "s/\\\/-/g"
... View more
12-15-2021
06:37 AM
I tried in this fashion itsi_message="Alerting time: "+human_readable_time+"~~"+field1+"~~"+field2+"~~"+field3+"~~"+field4+"~~"+field5+"~~"+field6+"~~"+field7+"~~"+field8, itsi_impact=case( message like("%Failed log backup of Oracle Database%") ,"High" | stats count by "%Failed log backup of Oracle Database%" | where count >3, message like("%Failed backup of Oracle Database%"),"High", true(), "Medium") getting an eval error.
... View more
12-15-2021
06:32 AM
Thanks but we have other failures as well in this query and this field should be applicable for only Oracle log backups. Any suggestions how to embed this ?
... View more
12-15-2021
06:14 AM
My query currently generating an incident for each failure. For "log backup", I would like an incident to generate after 3 failures, something log backup failure >3 , create an incident. Impact=case( message like("%Failed log backup of Oracle Database%"),"2-Significant/Large", message like("%Failed backup of Oracle Database%"),"2-Significant/Large", true(), "3-Moderate/Limited"), Urgency=case( message like("%Failed log backup of Oracle Database%"), "2-High", message like("%Failed backup of Oracle Database%"), "2-High", true(), "3-Medium" ) Below are the fields from my table table _time,objectName,message,locationName,eventStatus,objectType,objectId here objectName related database name and objectType as Oracledb
... View more
12-15-2021
06:05 AM
Hi, I need an help with splunk search query where in an incident need to be generated for a log backup failure after 3 consecutive failures. /nanoo1
... View more
Labels
- Labels:
-
table
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-09-2022
06:34 AM
|
