Activity Feed
- Karma Re: Using lookup tables to create separate alerts for prod and nonprod hosts for jfraiberg. 06-05-2020 12:49 AM
- Karma Re: Transaction with multiple startswith conditions for elliotproebstel. 06-05-2020 12:49 AM
- Karma Understanding the LOOKUP command for mahbs. 06-05-2020 12:49 AM
- Karma Re: Understanding the LOOKUP command for elliotproebstel. 06-05-2020 12:49 AM
- Karma Re: Alert trigger conditions for somesoni2. 06-05-2020 12:49 AM
- Karma Re: Alert on specific EventCode values unless followed by a specific EventCode within a 5-minute span for woodcock. 06-05-2020 12:49 AM
- Karma Dedup within a MV field for pkashou. 06-05-2020 12:46 AM
- Karma Re: Dedup within a MV field for emiller42. 06-05-2020 12:46 AM
- Got Karma for Re: Dedup within a MV field. 06-05-2020 12:46 AM
- Karma Re: What is the OTHER field? for Johnvey. 06-05-2020 12:45 AM
- Posted Re: Alert trigger conditions on Alerting. 02-01-2018 12:04 PM
- Posted Alert trigger conditions on Alerting. 01-30-2018 01:18 PM
- Tagged Alert trigger conditions on Alerting. 01-30-2018 01:18 PM
- Posted Re: Alert on specific EventCode values unless followed by a specific EventCode within a 5-minute span on Splunk Dev. 01-02-2018 08:53 AM
- Posted Re: Alert on specific EventCode values unless followed by a specific EventCode within a 5-minute span on Splunk Dev. 01-02-2018 08:24 AM
- Posted Re: Alert on specific EventCode values unless followed by a specific EventCode within a 5-minute span on Splunk Dev. 01-01-2018 07:25 AM
- Posted Alert on specific EventCode values unless followed by a specific EventCode within a 5-minute span on Splunk Dev. 12-29-2017 12:01 PM
- Tagged Alert on specific EventCode values unless followed by a specific EventCode within a 5-minute span on Splunk Dev. 12-29-2017 12:01 PM
- Posted Re: Dedup within a MV field on Splunk Search. 12-12-2017 01:06 PM
- Posted Re: Understanding the LOOKUP command on Splunk Search. 12-08-2017 02:41 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
01-30-2018
01:18 PM
Hello Splunk community,
I have an alert setup that will trigger when a website status does not equal 200:
index=perfmon host="nameofsearchhead" sourcetype=httpstatus
| where status!=200
| lookup Prod-Websites.csv url AS url OUTPUTNEW server
| table _time,url,status
The results in the statistics tab show up as three columns: time, url, status code.
The alert currently triggers whenever I receive more than 4 results (which could be 5 different urls, that had a single non-200 event each).
I would like for the alert to trigger whenever I receive more than 4 results (non-200 events) for a single url, instead.
... View more
- Tags:
- splunk-enterprise
01-02-2018
08:53 AM
One step closer.
I swapped out the field "EventCode" with "host" and now I'm seeing transactions.
| transaction host startswith=5014 endswith=5004 maxspan=5m
Next step would be to change this so that a transaction is created only when a "5004" or "1206" is not found (within 5 minutes of the error event, e.g., 5014 or 5008).
... View more
01-02-2018
08:24 AM
Woodcock,
This is the search I perform to find 5014 and 5004 events (for example).
index=wineventlogs sourcetype="WinEventLog:DFS Replication" host=DC01 OR DC02 OR DC03 EventCode=1202 OR 5002 OR 5008 OR 5012 OR 5014 OR 5004 OR 1206
| rex "Message=(? .*)"
| table _time,Message,ComputerName,EventCode,Error
The first two events that result are as shows below:
1/1/18
11:00:57.000 PM
01/01/2018 11:00:57 PM
LogName=DFS Replication
SourceName=DFSR
EventCode=5004
EventType=4
1/1/18
11:00:51.000 PM
01/01/2018 11:00:51 PM
LogName=DFS Replication
SourceName=DFSR
EventCode=5014
EventType=3
When I add in the transaction command (as follows), no results are returned:
index=wineventlogs sourcetype="WinEventLog:DFS Replication" host=DC01 OR DC02 OR DC03 EventCode=1202 OR 5002 OR 5008 OR 5012 OR 5014 OR 5004 OR 1206
| rex "Message=(? .*)"
| transaction EventCode startswith=5014 endswith=5004 maxspan=5m
The way I imagine the transaction command is supposed to work using the example above is it finds my 5014 event at 11:00:51 PM (which marks the beginning of a new transaction, specifically where a replication error occurred), and finds the 5004 event at 11:00:57 PM (which marks the end of the transaction); however, nothing is returned.
I seem to have taken a wrong turn.
... View more
01-01-2018
07:25 AM
I will give these a try tomorrow when I’m back in office and send an update.
... View more
12-29-2017
12:01 PM
Happy New Year,
I'm working on an alert for certain event codes regarding DFS Replication.
index=wineventlogs sourcetype="WinEventLog:DFS Replication" host=host1 OR host2 OR host3 EventCode=1202 OR 5002 OR 5008 OR 5012 OR 5014 earliest=-5m
| rex "Message=(?<Message>.*)"
| table _time,Message,ComputerName,EventCode,Error
I would like to return a result if any of the following EventCodes are found in an event from five minutes ago (EventCode 1202 OR 5002 OR 5008 OR 5012 OR 5014), unless followed by an event with either EventCode 5004 or 1206 (which represent a recovery) within five minutes of the error event code.
I'm eyeballing the case and validate functions, but I'm having some difficulty putting the picture together.
Thank you for any assistance.
... View more
- Tags:
- splunk-enterprise
12-08-2017
02:41 PM
This is by far the most easy-to-digest example of using and understanding the lookup command that I've found. Thank you for taking the time to lay this out. I owe you a beer or a coffee, sir.
... View more
10-17-2017
07:50 AM
Thank you for your response. I will give this a shot.
... View more
10-13-2017
11:45 AM
Hello Splunk community,
My team is tasked with creating alerts for standard server monitoring metrics (CPU, memory, etc.) and separating each alert by a list of prod hosts and non-prod hosts. In other words, a high CPU alert for prod hosts to trigger anytime 24/7, and a high CPU alert for non-prod hosts to only trigger between 7AM and 7PM.
Here is an example of how we're attempting to use lookup tables to narrow the alert to non-prod hosts for the 7AM to 7PM time window:
index=perfmon [| inputlookup ServerNonProd-NoSQL.csv | rename ServerHost as host ] sourcetype="Perfmon:CPU Load" counter="% Processor Time" earliest=-5m latest=now | stats avg(Value) as metric by host | where metric >= 80 | eval metric= round(metric, 2) | table host,metric
My question: Is this the most effective way to accomplish this task (through separate lookup tables), or is there a more efficient or advisable way of accomplishing this task?
Thank you for any pointers!
... View more
