Forums: SplunkSearchAndAlert

Hello, I am a splunk user... I am able to schedule as many searches with email alerts, but I noticed only 4 run thier jobs. the others say no job - reload. Please advice if this has to do with user limitations, as my Splunk admin is not sure why the other jobs don not run. Thanks, James C.

Hi all, is it possible to perform something like the following (psuedo search code fyi) **search "login" between 19:00:00 and 05:00:00 any day this week** Essentially I want to be able to look for any event that match "login" that occured between 19:00 and 05:00 (for example) on any day this ...

I am trying to create a report that compares successful vs. unsuccessful sets of actions grouped into a transaction: host="web*" (uri_path=/path1/* OR uri_path=/path2/* OR uri_path=/path3/*) | transam clientip maxspan=60m | timechart count by searchmatch(uri=/path3/success) I am trying to chart ...

I have a log in csv. The column "service" can only be 2 entries (ACCT or RAD) another column for "Date" and one for "Time". I'd like to do a line or Area graph showing both of the 2 possible service entries overlayed in 2 colors over a span of time. The reason is they should coincide, if the graph ...

I am trying to group together records as transaction and ultimately alert on them based on a set of conditions. Grouping them together was not a problem, alerting on conditions has proven to be. Below are the conditions I am trying to alert on every 60 minutes. The first being the transaction has ...

Hi all. I'm pretty new to splunk and need a little assistance. We' have a saved search in our splunk instance that was created by our admin user. If I run the saved search as the admin user, it works perfectly. If I log out and run the same saved search as my user, I see results in the graph, but ...

Hello, I have setup a search query that is scheduled to run every hour and alert if there are any results. The issue i am having is that i receive an email even if there are no results. .... | sendemail to="test@test.com" format=text inline=true subject=test server=test sendresults=true If ...

Hi, migrating Splunk3 apps to 4.x I came across this scenario that uses 'transaction' after 'set' and transaction refuses the setoperation (expecting events in descending order). | set [...subsearch producing columns A and B...] [...subsearch producing columns B and C] | transaction fields=B | ...

I've created an app to show some data extracted from an index, filtering with some fields selected by the user using a search form. In this form, I added a line like the one that I'm copying below: <searchTemplate>sourcetype="one_sourcetype" source="some_source" $fieldA$ $fieldB$</searchTemplate> Then, ...

Our application always generate a new log-file for each session. Now we have a problem with exceptions like **"read error on FFFFFFDC"** in the log. Once they started the log-file are often full of them. I want to do a search on **"read error on FFFF*"** but only get one hit per file or session. How ...

We have a savedsearch, executed on Saturday at 6:02 AM with enabledSched. This search sent an email with 616 events. The same search, executed from CLI as {{splunk search "| savedsearch //<SearchName>//}} on Saturday at 6:03 AM, resulted in only 100 events. This Search collects events from ...

I was wondering if there was a way to execute one search, then another search based on a field value of the first, and appending the column from the second search to the first set of fields? Exactly like a database join. My scenario: I have the IP for sites that go up and down from our VPN routers. ...

Hey - We monitor middleware SOAP logs and one of the ways we search is on session Ids. These can be up to 500 bytes in length. So far, we've been unable to search on the session id. Whenever we run a search, Splunk returns a 500 internal error. Does anyone know if this is a Splunk limitation? ...

I was looking for a "NOT IN" SQL kind of functionality in Splunk to get events from one index that are not in another index based on some field, but i couldn't find such a functionality in Splunk. So, how do i get events from one index based on a filed value which is not in another index ? Equivalent ...

how to schedule a search to export results to csv automatically on a minute basis ?

Just configured some indexing and searches using 4.0.9. I can check my searches and validate that the search terms are appearing, but despite configuring the email alerts (and setting the options in the Manager page) I don't get notification. I have been able t configure RSS feed mind. I was trying ...

Pretty simple to reproduce. I have a similar search, more complex however. Can anyone help me understand why the field "icon" returns "None" in cli? should be "Green.jpg" ./splunk search "index="_internal" metrics |head 200 |timechart span=1d sum(cpu_seconds) |eval icon = if(cpu_seconds < ...

I have a need for a script that can take the fields of a saved search and make syslog type (UDP) output from the Splunk Server. OR If there is any other way to re-hydrate indexed data in syslog format...I would take that as well.

I would like to implement a custom search that allows me to search for any URL that contains a number, but is NOT an IP address. Does anyone have any suggetions?

Hello I am having some problems. I have create about 8 different alerts but only one or two of them ever run. I am on splunk version 4.0.8. Any ideas as to why or any question.