Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to artificially insert event based on an existing event value?

alfredoh14
Explorer
‎08-05-2022 03:52 PM

Hello,
I have a log file that admins can write when they start or stop their server maintenance.
This is then jued to silence email alerts so admins do not get email alerts when they are doing server maintenance.
When the admin will start server maintenance they will write "start of maintenance...." into a specific log file (the source).
When the admin will stop server maintenance they will then write "sen of maintenance...", to that same file.

However, since the email alerts reset themselves after a period (4 hours ) after splunk read the "start of maintenance..." some admins will "forget" to write the "stop of maintenance..." to this file.

task:
I need to have an "start of maintenance..." and corresponding "end of maintenance..." entry.
if I only have a "start of maintenance..." then I must use SPL to insert an event that has "end of maintenance..." and that the _time (or another field that is time-related) has the time of the "start of maintenance..." + 4 hours.
So for example, if "start of maintenance..." _time is 2022/08/05 16:00:00 then I must create a event that has _time (or a time field)) of 2022/08/05 20:00:00.
If there is a corresponding "end of maintenance...." within 4 hours of having a "start of maintenance..." then I should do nothing.

My ultimate goal is to create a dashboard with results filtered by "start of maintenance.." _time and "end of maintenance..." _time, but in order to do this I first have to make sure I have both "start of maintenance..." and "end of maintenance..." _time/Time values.

 

Labels (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-06-2022 03:51 AM 
<your search> [<your maintenance log search>
  ``` Use mvrange to duplicate start events ```
  | eval range=if(match(event,"start"),mvrange(0,2),null())
  | mvexpand range
  ``` Change duplicated event to 4 hours later ```
  | eval _time=if(range=1,_time+(60*60*4),_time)
  ``` Make duplicated event an end of maintenace event ```
  | eval event=if(range=1,"end of maintenance",event)
  ``` Sort in descending time order (latest first) ```
  | sort 0 -_time
  ``` Set latest to the time of end events ```
  | eval latest=if(match(event,"end"),_time,null())
  ``` Copy latest time to next event ```
  | filldown latest
  ``` Just keep start events (now with time of next end event) ```
  | where match(event,"start")
  ``` Assuming you want just the latest maintenance period ```
  | head 1
  | rename _time as earliest
  ``` Use earliest and latest to filter your main search ```
  | fields earliest latest]
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-05-2022 10:17 PM

Similar to the idea presented in your other thread, if you can sacrifice performance, you can use transaction.  For the 4-hour limit, it has a maxspan option, e.g.,

| transaction startswith="start of maintenance" endswith="end of maintenance" maxspan=4h
| search closed_txn=0
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...