×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
jcunningham_con
Explorer
Member since: ‎06-22-2017
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 2
Member Since ‎06-22-2017
Activity Feed
View All

Detecting endpoint change in a specific event with...

by in Alerting
‎09-28-2017 12:33 PM
‎09-28-2017 12:33 PM
Looking for assistance with creating an email alert when an endpoint changes in logs. We want to avoid multiple emails going out every 15 minutes and only send the email alert when the switch happens. The alert would be searching every 15 minutes. Thinking that the best way to do this is come up with a search that only returns the specific event in question. If we find two different endpoints (field value) for the 15 minute window, then we know a switch has occurred. From here am looking for assistance. How to write the query to detect which endpoint we started with and what we switched to. Thinking that we can do something like the following to get timestamp for endpointA and endpointB events. Then see which one is greater than the other. Then conditional statement to determine what the source and destination endpoints are. ... | eval time_a = case(expression to determine if it's endpointA, _time) | eval time_b = case(expression to determine if it's endpointB, _time) Any help would be greatly appreciated. ... View more

Re: How to have 'count as' and also 'count by' for...

by in Splunk Search
‎06-23-2017 08:48 AM
2 Karma
‎06-23-2017 08:48 AM
2 Karma
It's done/working. I am a noob here, meant to post as a comment to previous answer 🙂 ... View more

Re: How to have 'count as' and also 'count by' for...

by in Splunk Search
‎06-23-2017 08:04 AM
‎06-23-2017 08:04 AM
Thanks for the help, makes sense now. Some additional info about the problem is that there is a file processed potentially daily and currently we are doing manual checks. Instead, we are setting up a Splunk alert to provide a report for each hop of the file processing. If the file was successfully transferred; display file name. If there was a corresponding error file created, display the name of it and how many error records there were, and etc. Following is scrubbed query for two of the hops: index=prod sourcetype=esb ("bulk process for file" AND "xxx.yyyy") | rex field=_raw "bulk process for file: (?<esb_Success_File>.*?) is successful(ly)? completed" | stats count as mycount by esb_Success_File | rename COMMENT as "Now add a record for no files, but only if there are no records to this point." | appendpipe [| stats count as mycount | where mycount==0 | eval esb_Success_File = "No Success Files at Hop2 Today" ] | rename COMMENT as "... and eliminate everything but the file names, since there can be only one." | appendcols [search index="prod" sourcetype="esb" ("Error file" AND "xxx.yyyyz*") | rex field=_raw "Error file (?<esb_Error_File>.*)" | rex mode=sed field=esb_Error_File "s/records: (\d+)/{records}/" | rex mode=sed field=esb_Error_File "s/out of (\d+)/{out of total}/" | replace "/xxx/yyyy/dddd/hhhhhh/ffffff/* is created with total error {records} {out of total} records" with * in esb_Error_File | rex field=_raw "is created with total error records: (?<esb_Error_Records>.*)" | stats count as mycount by esb_Error_File esb_Error_Records | appendpipe [| stats count as mycount | where mycount==0 | eval esb_Error_File = "No Error Files at Hop2 Today", esb_Error_Records = "N/A" ]] | appendcols [search index="prod" sourcetype="file_transfer" ("the new filename is" AND "xxx.yyyy") | rex field=_raw "the new filename is (?<FT_Success_File>xxx.*)" | stats count as mycount by FT_Success_File | appendpipe [| stats count as mycount | where mycount==0 | eval FT_Success_File = "File Not Sent from Hop1 during this time"]] | appendcols [search index="prod" sourcetype="file_transfer" ("xxx.yyyy" AND "Successful transfer") | rex field=_raw "File=/xxxx/yyyyyyy/ddd.fff.vvv.(?<FT_Transfer_Status>xxx.yyyy.*\n.*)" | stats count as mycount by FT_Transfer_Status | appendpipe [| stats count as mycount | where mycount==0 | eval FT_Transfer_Status = "File Not Sent from Hop1 during this time"]] | fields FT_Success_File FT_Transfer_Status esb_Success_File esb_Error_File esb_Error_Records ... View more

How to have 'count as' and also 'count by' for one...

by in Splunk Search
‎06-22-2017 01:36 PM
‎06-22-2017 01:36 PM
The following query should be intuitive enough to see what am trying to do. This query will list Success_file field values as desired, however the eval will fail. On the other hand, if I replace 'count by' with 'count as' and include values(Success_File) then the eval will work correctly, but the grouping does not and thus duplicate field values are not listed etc. Is there a way to do both so that the below eval command will succeed? index=prod sourcetype=esb ("bulk process for file" AND "xxx.yyy") | rex field=_raw "bulk process for file: (?<Success_File>.*)" | replace "*is successful completed" with * in Success_File | stats count by Success_File | eventstats sum(count) as Success_Count | eval Success_File = if(Success_Count=0, "No Success File Today", Success_File) | fields Success_File ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All
Karma given to
View All