Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About mkouzou
mkouzou
Explorer
Member since:
03-10-2022
09-13-2022
Community Statistics
| Posts | 8 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 03-10-2022 |
Activity Feed
- Posted Re: How to compare events "without" common fields? on Getting Data In. 09-13-2022 05:56 AM
- Karma Re: Compare events "without" common fields for gcusello. 09-13-2022 05:56 AM
- Posted Re: How to compare events "without" common fields? on Getting Data In. 09-13-2022 05:54 AM
- Posted Re: Compare events "without" common fields on Getting Data In. 09-12-2022 02:04 AM
- Posted Re: Compare events "without" common fields on Getting Data In. 09-09-2022 06:36 AM
- Posted Re: Compare events "without" common fields on Getting Data In. 09-09-2022 06:20 AM
- Posted Re: Compare events "without" common fields on Getting Data In. 09-09-2022 05:48 AM
- Posted How to compare events "without" common fields? on Getting Data In. 09-09-2022 05:27 AM
- Karma How do I integrate Zabbix with Splunk? for sachaz. 08-09-2022 07:03 AM
- Tagged Re: Integration Zabbix-Splunk on Getting Data In. 08-04-2022 08:12 AM
- Posted Re: Integration Zabbix-Splunk on Getting Data In. 08-04-2022 07:42 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
09-13-2022
05:56 AM
Hello all, Thank you for your help. I finally found the solution by doing that and optimizing the result by adding some more filters like severity: index=my_index sourcetype=alerts (eid=* AND result="1" AND severity>2 AND error=*) OR (init_eid=* AND result="0")
|fields result,init_eid,eid,Host,severity,error
|eval Merged_eid=coalesce(init_eid,eid)
|eval resolved=if(isnull(init_eid),"No","Yes")
|stats max(Host) as Host min(_time) as _time max(error) as Alert max(resolved) as Resolved max(severity) as Severity by Merged_eid
|search Severity>2 AND Resolved="No" Have a great day.
... View more
09-13-2022
05:54 AM
Hello scelikok, Thank you for your help. You have correctly understood my need. However, this search is a little bit slow, especially when we run it for the last 7 days 🙂 I finally found the solution by doing that and optimizing the result by adding some more filters like severity: index=my_index sourcetype=alerts (eid=* AND result="1" AND severity>2 AND error=*) OR (init_eid=* AND result="0")
|fields result,init_eid,eid,Host,severity,error
|eval Merged_eid=coalesce(init_eid,eid)
|eval resolved=if(isnull(init_eid),"No","Yes")
|stats max(Host) as Host min(_time) as _time max(error) as Alert max(resolved) as Resolved max(severity) as Severity by Merged_eid
|search Severity>2 AND Resolved="No"
... View more
09-12-2022
02:04 AM
hello gcusello, Thank you once again for your help. The "problem" with your search is that is not correlating both events with same "eid & initi_eid" so splunk finds always "result"1. I want to be able even if I chose "all time" in the time picker, to show only events that are not resolved, that is to say, that the we cannot find the couple of "eid and init_eid" (init_eid is the acknowledge event). I don't see how your search combines these two events...:( As I said, I tried the "transaction command" but it doesn't work...Is there any perquisites (type of data, etc) in order that the command works correctly? Thank you in advance.
... View more
09-09-2022
06:36 AM
hello gcusello, I need all the events that they never received a "result=0" message, that is to say, only the active alerts with result=1 and not those that have been acknowledged. For your information ,the "init_eid" and "eid" are uniques codes. We have the "eid" once the alerte triggered and the "init_eid" once the alert resolved. The "init_eid" contains the parent's ID ("eid").
... View more
09-09-2022
06:20 AM
hello gcusello, I think that your SPL is not ok. The result shows me always the history of the alerts. The idea is to hide the alerts that have been resolved(result=0). We should search for an event with "result=1", take its "eid" and search for an event containing the "init_eid" which has for sure the "result=0". I thought that I could do that with "transaction" command but it si not working(no results).
... View more
09-09-2022
05:48 AM
hello gcusello and thank you for your quick reply, The "result" field changes from value "1" to value zero "0) when the problem resolved. thank you
... View more
09-09-2022
05:27 AM
Hello All, I'm trying since 3 days now to find a solution for my problem but without success. I look around for solutions and already asked questions but I didn't find (or I missed it) any. I have a monitoring tool that sends me the host problems in splunk in json format. Once the alert/problem ended, the tool send me another message in splunk but with very little informations except of one field that contains a value(alert id) of the initial alert. Here a example: Initial alert: {"timestamp":1662715948,"guid":468431423,"result":1,"eid":1580,"name":"test kouzou","sev":3,"h":[{"host":"toto","name":"toto"}],"team":["titi"],"tags":-[{"tag":"App","value":"System"},{"tag":"App","value":"host-up"}]} Recovery: {"timestamp":1662716608,"guid":604699994,"result":0,"eid":1059134005,"init_eid":1580} The idea is, to make searches for alerts that have not been resolved yet and show them in a dashboard, if the alert has been acknowledged by the tool, I don't want to show it .I'm trying to make equivalency with the "init_eid" and "eid" field but without success. It is a json content and I tried to do some manual extractions in order to guarantee the "normality" of the fields.I realized also that the "transactions" command is not working at all, only for one field. Do you have any ideas on how I could achieve this goal? Thank you in advance.
... View more
Labels
- Labels:
-
field extraction
-
JSON
-
monitor
08-04-2022
07:42 AM
Hello all, I know that the post is three years old but I was wondering if someone has already integrate the Zabbix metrics to splunk. We have a customer and asked me to use API's via a HF in order to send data in Splunk. Do you have any experience with that or any other methodology? Thank you in advance.
... View more
- Tags:
- zabbix
