×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Bastiaan
Engager
Member since: ‎09-08-2023
‎09-08-2023
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-08-2023
Activity Feed
Topics I've Started
View All

Re: Search with limited time clause

by in Splunk Search
‎09-08-2023 04:05 AM
‎09-08-2023 04:05 AM
Many thanks, I will get to it! ... View more

Re: Search with limited time clause

by in Splunk Search
‎09-08-2023 03:47 AM
‎09-08-2023 03:47 AM
I see I have a lot to learn. The essence is: I want to get three things from the log of host "hostname". First, "CONFIG, commit* but not Succeeded", I also want "snmpd.log" messages and I want to get "TS-Agent" from the logging. But from the last one I'm not interested in what happens between 01:00 and 05:00 since they give errors during that time frame that I don't care about. The other two filter/searches I want to get 24/7 messages from. ... View more

Search with limited time clause

by in Splunk Search
‎09-08-2023 02:53 AM
‎09-08-2023 02:53 AM
Hello all, I'm quite new to the wonderful world of Splunk, but not new to monitoring or IT in general. We are optimizing our operations processes and I'd like to get a state of the last 24h of our environment, specifically our Firewall status. It sends all it's logging to Splunk and I've created the following filter to find all the errors, but it's not working: host="hostname" AND ( CASE(CONFIG) CASE(commit*) NOT Succeeded ) OR "snmpd.log due to log overflow" OR ( ("TS-Agent" AND "connect-agent-failure") | where NOT (date_hour >= 1 AND date_hour < 5) ) It gives me back: "Error in 'search' command: Unable to parse the search: unbalanced parentheses." The last part of the filer (TS-Agent and so on) has to be filtered because I wish to exclude a timeframe from the results (reboot schedule of said servers), however, the other searches need to be from all the time (e.g. the last 24h or whatever  I set). I think I'm doing something wrong or things just don't work like I expect. I hope you folks can help me out or point me in the right direction. I'd like to get all the errors on one tile so I can see if I can get my coffee in the morning slowly or fast 😉 Many thanks in advance! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-08-2023 07:31 AM