https://community.splunk.com/t5/Alerting/Splunk-alert-to-get-consecutive-errors-from-logs/m-p/192588#M12416 <P>Please show examples of the logs you're using - specifically show the log entries that hold the data upon which you need to search. Also, please clarify what you mean by "consecutively" in this context. Is this simply a count of &gt; 25 times a particular error has happened within the last three hours? Is it a specific series of 25 events in a certain order?</P> Mon, 11 May 2015 19:59:57 GMT jtrucks 2015-05-11T19:59:57Z https://community.splunk.com/t5/Alerting/Splunk-alert-to-get-consecutive-errors-from-logs/m-p/192587#M12415 <P>Hello Support,</P> <P>I need a query to get all the errors/exception which are occuring consecutively for more than 25 times in last 3 hours? Could you help?</P> <P>Thanks<BR /> Ritwik</P> Mon, 11 May 2015 19:26:57 GMT https://community.splunk.com/t5/Alerting/Splunk-alert-to-get-consecutive-errors-from-logs/m-p/192587#M12415 ritwikva 2015-05-11T19:26:57Z https://community.splunk.com/t5/Alerting/Splunk-alert-to-get-consecutive-errors-from-logs/m-p/192588#M12416 <P>Please show examples of the logs you're using - specifically show the log entries that hold the data upon which you need to search. Also, please clarify what you mean by "consecutively" in this context. Is this simply a count of &gt; 25 times a particular error has happened within the last three hours? Is it a specific series of 25 events in a certain order?</P> Mon, 11 May 2015 19:59:57 GMT https://community.splunk.com/t5/Alerting/Splunk-alert-to-get-consecutive-errors-from-logs/m-p/192588#M12416 jtrucks 2015-05-11T19:59:57Z https://community.splunk.com/t5/Alerting/Splunk-alert-to-get-consecutive-errors-from-logs/m-p/192589#M12417 <P>Hello Jtrucks,</P> <P>Thanks for the quick reply.</P> <P>Here is an example of the log entry</P> <P>May 11, 2015 3:38:30 PM org.apache.axis2.transport.http.HTTPSender sendViaPost<BR /> INFO: Unable to sendViaPost to url[<A href="http://customer.xxx.com:19100/CashCRUDWebservice/endpoints">http://customer.xxx.com:19100/CashCRUDWebservice/endpoints</A>]<BR /> java.net.SocketTimeoutException: Read timed out<BR /> at java.net.SocketInputStream.socketRead0(Native Method)<BR /> at java.net.SocketInputStream.read(SocketInputStream.java:152)<BR /> at java.net.SocketInputStream.read(SocketInputStream.java:122)<BR /> at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)<BR /> at java.io.BufferedInputStream.read(BufferedInputStream.java:254)<BR /> at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)</P> <P>**** Error Mon May 11 3:40:00 PM 2015 /com/commerce/droplets/FetchStoreForCommItemDroplet InvalidParameterException </P> <P>Here in the above log entry, I like to find out if any of the exception occurred more than 25 times in a 3 hour window.</P> Mon, 11 May 2015 20:44:49 GMT https://community.splunk.com/t5/Alerting/Splunk-alert-to-get-consecutive-errors-from-logs/m-p/192589#M12417 ritwikva 2015-05-11T20:44:49Z https://community.splunk.com/t5/Alerting/Splunk-alert-to-get-consecutive-errors-from-logs/m-p/192590#M12418 <P>Something like this:</P> <PRE><CODE>sourcetype=mylogs err* OR exception | stats count by host | where count&gt;25 </CODE></PRE> Tue, 19 May 2015 16:05:46 GMT https://community.splunk.com/t5/Alerting/Splunk-alert-to-get-consecutive-errors-from-logs/m-p/192590#M12418 woodcock 2015-05-19T16:05:46Z https://community.splunk.com/t5/Alerting/Splunk-alert-to-get-consecutive-errors-from-logs/m-p/192591#M12419 <P>does it's true if there are some success events between error events.</P> Wed, 18 Sep 2019 08:32:18 GMT https://community.splunk.com/t5/Alerting/Splunk-alert-to-get-consecutive-errors-from-logs/m-p/192591#M12419 vietlq414 2019-09-18T08:32:18Z