https://community.splunk.com/t5/Splunk-Search/Identify-when-has-appear-more-than-10-errors-in-one-hour/m-p/340284#M100905 <P>Hi, splunkers.</P> <P>I need to generate an alert when the count of errors are greater than 10 in one hour. This is easy, but now, I need to do an evolution time chart with the alerts that have occurred. With the data of last one month, I had thought make a timechart with span=1h, but this really does not give the wanted result (because, for example, if we have 5 errors between 12:00 and 13:00, and 7 errors between 13:00 and 14:00 it does not showing error, but it can be error if the 12 errors would be within period of 60 minutes). </P> <P>We have same trouble with transaction. If I make a transaction establishing a maxspan of 1h, Splunk would detects the first error event and would search error events for next hour, making that if there are 5 errors in the first time period, and 7 in the next period, it does not recognizing it like there was more than 10 errors in a period of 60 mins. We have tried to use maxevents in transaction instead of maxspan and making a eval the duration of the transaction, but in this case Splunk would make bundles of 10 events, because of this neither is valid to our needed.</P> <P>Could you help me?</P> <P>Thanks a lot!!!</P> Thu, 14 Dec 2017 13:28:55 GMT nsanchezfernand 2017-12-14T13:28:55Z https://community.splunk.com/t5/Splunk-Search/Identify-when-has-appear-more-than-10-errors-in-one-hour/m-p/340284#M100905 <P>Hi, splunkers.</P> <P>I need to generate an alert when the count of errors are greater than 10 in one hour. This is easy, but now, I need to do an evolution time chart with the alerts that have occurred. With the data of last one month, I had thought make a timechart with span=1h, but this really does not give the wanted result (because, for example, if we have 5 errors between 12:00 and 13:00, and 7 errors between 13:00 and 14:00 it does not showing error, but it can be error if the 12 errors would be within period of 60 minutes). </P> <P>We have same trouble with transaction. If I make a transaction establishing a maxspan of 1h, Splunk would detects the first error event and would search error events for next hour, making that if there are 5 errors in the first time period, and 7 in the next period, it does not recognizing it like there was more than 10 errors in a period of 60 mins. We have tried to use maxevents in transaction instead of maxspan and making a eval the duration of the transaction, but in this case Splunk would make bundles of 10 events, because of this neither is valid to our needed.</P> <P>Could you help me?</P> <P>Thanks a lot!!!</P> Thu, 14 Dec 2017 13:28:55 GMT https://community.splunk.com/t5/Splunk-Search/Identify-when-has-appear-more-than-10-errors-in-one-hour/m-p/340284#M100905 nsanchezfernand 2017-12-14T13:28:55Z https://community.splunk.com/t5/Splunk-Search/Identify-when-has-appear-more-than-10-errors-in-one-hour/m-p/340285#M100906 <P>Start with the solution here, to collect and mark all the events you want. Obviously, you will change the conditions to be <CODE>60m</CODE> and specify the events you want to portray... </P> <P><A href="https://answers.splunk.com/answers/597583/count-something-with-a-specifc-rule-and-time.html#answer-597274">https://answers.splunk.com/answers/597583/count-something-with-a-specifc-rule-and-time.html#answer-597274</A></P> <P>Do the optional thing at the end to mark all the individual events, then drop all the ones that are not marked.</P> <P>This gives you events that you can just drop straight into <CODE>timechart</CODE> and let it do its thing. </P> Thu, 14 Dec 2017 21:36:48 GMT https://community.splunk.com/t5/Splunk-Search/Identify-when-has-appear-more-than-10-errors-in-one-hour/m-p/340285#M100906 DalJeanis 2017-12-14T21:36:48Z