topic Alert Query in Alerting

Alert Query

FayazAhmed — Thu, 31 Jan 2019 09:00:39 GMT

Hi,

I have to search the string below
Error Code : 5010 | Barcodes {X}
X is some value, and it can be change frequently, I need to raise an alert when one barcode is repeating twice and not raising the alert for same barcode throughout a day.
What should be my search, and how can I display for which barcode I have raised the alert.
Thanks in Advance

Re: Alert Query

DMohn — Thu, 31 Jan 2019 13:07:58 GMT

Given you have not extracted your fields yet you could try it like this:

 <base search> | rex field=_raw "Error\sCode\s:\s(?<error_code>[\d]+)\s\|\sBarcodes\s\{(?<barcodes>[^\}]+)" | where error_code=5010 | stats count by barcodes | where count > 1

Save the search as an alert and set the trigger condition to number of results greater than 0, and alert for each result, activate throtteling and set the throttle period to 1 day.

Then you may add any desired alert action.

Re: Alert Query

kamlesh_vaghela — Thu, 31 Jan 2019 13:11:37 GMT

@FayazAhmed

I think you query should be like below.

index=your_index "Error Code : 5010" Barcodes=* | stats count by Barcodes  |where count=2

if your events have Error_Code field then

index=your_index Error_Code=5010 Barcodes=* | stats count by Barcodes  |where count=2

Create an alert using any of above search. Use below link to create search.

https://docs.splunk.com/Documentation/Splunk/7.2.3/Alert/Alertexamples

for not raising the alert for same barcode throughout a day, you have to set Throttle with field=Barcodes and Throttle period is 1 day.

https://docs.splunk.com/Documentation/Splunk/7.2.3/Alert/Alertexamples#Throttle_the_real-time_alert

Thanks

Re: Alert Query

richgalloway — Thu, 31 Jan 2019 15:46:12 GMT

You can find duplicate barcodes using a query like this one.

<your search for barcodes> earliest=@d | stats count by Barcodes | where count > 1

Prevent multiple alerts by using the Throttle option in the alert configuration.

Re: Alert Query

FayazAhmed — Fri, 01 Feb 2019 12:53:44 GMT

@DMohn
Thank you very much the reply
My log snippet looks like below
Error Code : 5010 | Barcodes 000323334011 |
if the above mentioned Barcode is repeating twice then I should raise an alert,

The barcode can change frequently.

Can you please suggest.

Re: Alert Query

FayazAhmed — Fri, 01 Feb 2019 12:54:47 GMT

Hi @kamlesh_vaghela

Thank you for the help,

The search didn't help my query

My log snippet looks like below
Error Code : 5010 | Barcodes 000323334011 |
if the above mentioned Barcode is repeating twice then I should raise an alert,

The barcode can change frequently.

Can you please suggest.

Re: Alert Query

DMohn — Tue, 05 Feb 2019 10:24:30 GMT

@FayazAhmed Please use the following search:

 <base search> | rex field=_raw "Error\sCode\s\:\s(?<error_code>[\d]+)\s\|\sBarcodes\s(?<barcodes>[\d]+)\s" | where error_code=2010 | stats count by barcodes | where count > 1 | table barcodes

It should do exactly what you want. Just replace the <base search> part with a search that shows your desired logs (like index=mylogs sourcetype=barcode_errors or similar).

Then use the "Save as" link in the right top above the search bar, save as Alert, set a schedule time as desired, set the trigger condition to "number of results" greater than 0, set to alert for each result, and set throtteling to 1 day.

Happy Splunking!