topic Re: How to set up an alert if an ack message is not available for a particular req? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353014#M104491 <P>ohh Np woodcock. thanks for helping.</P> Mon, 13 Mar 2017 18:59:31 GMT prashanthberam 2017-03-13T18:59:31Z How to set up an alert if an ack message is not available for a particular req? https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353009#M104486 <P>Hi,<BR /> i have messages like this how to setup an alert if ack message is not available in the logs for particular req.<BR /> and between req and rsp is more than 30 sec i need to setup an one more alert.</P> <P>my logs like this:</P> <PRE><CODE>2017-03-10 15:56:42.056 [WMQJCAResourceAdapter : 1] [INFO ] [DCN 0201706380692310C] SplunkLog - CorrelationID=000001806003698150190841, DCN=0201706380692310C, TransactionTimestamp=2017-03-10 15:56:37.742, GroupNumber =000Y69HB3, ServiceLinecount=4, SectionNumber=0008, CorporateEntityCode=OK1, ClaimType=0, VendorName=VERSCEND, VendorCode=CVP, TransactionCode=RSP, UtilizationAmount=3.75 2017-03-10 15:56:39.003 [WMQJCAResourceAdapter : 6] [INFO ] [DCN 0201706380692310C] SplunkLog - CorrelationID=000001806003698150190841, DCN=0201706380692310C, TransactionTimestamp=2017-03-10 15:56:39.002, GroupNumber =000Y69HB3, ServiceLinecount=4, SectionNumber=0008, CorporateEntityCode=OK1, ClaimType=0, VendorName=VERSCEND, VendorCode=CVP, TransactionCode=ACK, OutCome=C, Messagetext=ACCEPTED 2017-03-10 15:56:36.939 [WMQJCAResourceAdapter : 1] [INFO ] [DCN 0201706380692310C] SplunkLog - CorrelationID=000001806003698150190841, DCN=0201706380692310C, TransactionTimestamp=2017-03-10 15:56:36.939, GroupNumber =000Y69HB3, ServiceLinecount=4, SectionNumber=0008, CorporateEntityCode=OK1, ClaimType=0, VendorName=VERSCEND, VendorCode=CVP, TransactionCode=REQ </CODE></PRE> Mon, 13 Mar 2017 18:24:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353009#M104486 prashanthberam 2017-03-13T18:24:31Z Re: How to set up an alert if an ack message is not available for a particular req? https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353010#M104487 <P>Like this:</P> <PRE><CODE>Your Base Search Here | stats count list(_time) AS times range(_time) AS duration list(TransactionCode) AS TransactionCode BY CorrelationID | search TransactionCode="REQ" AND NOT TransactionCode="ACK" </CODE></PRE> <P>And this:</P> <PRE><CODE>Your Base Search Here | stats count list(_time) AS times range(_time) AS duration list(TransactionCode) AS TransactionCode BY CorrelationID | search duration &gt; 30 AND TransactionCode="REQ" AND TransactionCode="RSP" </CODE></PRE> Mon, 13 Mar 2017 18:33:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353010#M104487 woodcock 2017-03-13T18:33:48Z Re: How to set up an alert if an ack message is not available for a particular req? https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353011#M104488 <P>Assuming there is a unique transaction ID available in log for each req-ack-rsp combination, you could do like this (assuming CorrelationID is the unique identifier, if there are multiple columns add them to stats's by clause)</P> <P><STRONG>Updated mv funtion</STRONG></P> <P>Alert when there is no ACK event for a transaction</P> <PRE><CODE>your base search fetching all records | stats min(_time) as StartTime max(_time) as EndTime values(TransactionCode) as TransactionCodes by CorrelationID | eval _time=StartTime | where isnull(mvfilter(match(TransactionCodes,"ACK"))) </CODE></PRE> <P>Alert when transaction duration is more than 30 sec</P> <PRE><CODE>your base search fetching all records | stats min(_time) as StartTime max(_time) as EndTime values(TransactionCode) as TransactionCodes by CorrelationID | eval _time=StartTime | eval duration=EndTime-StartTime | where mvcount(TransactionCodes)=3 AND duration&gt;30 </CODE></PRE> Mon, 13 Mar 2017 18:36:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353011#M104488 somesoni2 2017-03-13T18:36:01Z Re: How to set up an alert if an ack message is not available for a particular req? https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353012#M104489 <P>while am searching first query am getting this Error in 'where' command: The arguments to the 'mvfind' function are invalid. what it means. may i know the reason.</P> Mon, 13 Mar 2017 18:54:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353012#M104489 prashanthberam 2017-03-13T18:54:07Z Re: How to set up an alert if an ack message is not available for a particular req? https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353013#M104490 <P>I am done editing; sorry for the churn; I did not notice the 2nd part of the question.</P> Mon, 13 Mar 2017 18:55:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353013#M104490 woodcock 2017-03-13T18:55:55Z Re: How to set up an alert if an ack message is not available for a particular req? https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353014#M104491 <P>ohh Np woodcock. thanks for helping.</P> Mon, 13 Mar 2017 18:59:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353014#M104491 prashanthberam 2017-03-13T18:59:31Z Re: How to set up an alert if an ack message is not available for a particular req? https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353015#M104492 <P>Oops. Used wrong function. Just updated the query to use correct function.</P> Mon, 13 Mar 2017 19:03:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353015#M104492 somesoni2 2017-03-13T19:03:05Z Re: How to set up an alert if an ack message is not available for a particular req? https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353016#M104493 <P>I lied; I had an extra <CODE>NOT</CODE> in my 2nd answer. It is all good now.</P> Mon, 13 Mar 2017 19:06:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353016#M104493 woodcock 2017-03-13T19:06:23Z Re: How to set up an alert if an ack message is not available for a particular req? https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353017#M104494 <P>Thanks for the help Somesoni2 . Now it's working ..</P> Mon, 13 Mar 2017 19:13:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353017#M104494 prashanthberam 2017-03-13T19:13:01Z Re: How to set up an alert if an ack message is not available for a particular req? https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353018#M104495 <P>ya i haven't noticed that one. thanks woodcock</P> Mon, 13 Mar 2017 19:14:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-up-an-alert-if-an-ack-message-is-not-available-for-a/m-p/353018#M104495 prashanthberam 2017-03-13T19:14:31Z