Alerting

Could someone help with building this alert?

Miky
Explorer

Hi All,

Can somebody help me start building this alert:

Alert on PW Startup Critical Failure

    1. Alert should trigger if any events with the following error message are seen.  The impacted hosts should be listed in the alert email.
    2. Base Search: index=app_v source=*System.log "Instantiation of bean failed; nested exception is org.springwork.beans.BeanInstantiationException: Could not instantiate bean class [iv.ws.report.pw.ipg.cache.SchedulerJob]: Constructor threw exception"
    3. The PW application has not started up successfully following a code deployment or server start.  
Labels (1)
0 Karma
1 Solution

Taruchit
Contributor

 

index="a"   source="b" AND "Instantiation of bean failed;" AND "nested exception is framework"

| stats values(host) AS host BY _time, source
| table _time, host, source

 

Please see if the above gives you the desired results.

View solution in original post

0 Karma

Taruchit
Contributor

Hi @Miky,

As I understand you are looking for the below error in Splunk logs: -

Instantiation of bean failed; nested exception is org.springwork.beans.BeanInstantiationException: Could not instantiate bean class [iv.ws.report.pw.ipg.cache.SchedulerJob]: Constructor threw exception

 

index="app_v" source=*System.log" AND "Instantiation of bean failed;" AND "nested exception is org.springwork.beans.BeanInstantiationException: Could not instantiate bean class [iv.ws.report.pw.ipg.cache.SchedulerJob]: Constructor threw exception"
|stats values(host)

 

Then you can save the result as alert. 

Please share if you need more details.

Thank you

0 Karma

Miky
Explorer

Hi Taruchit,

Thanks for help!

Will this alert trigger if any of the event occur?  How can I trigger this in a table format in email with  _time host source errormessage.

Thanks,

0 Karma

Taruchit
Contributor

Hi @Miky,

You can schedule the alert to run every hour and set the time range of your SPL to fetch data for last 60 minutes. Thus, every hour the SPL will check for events that have the error string and will consolidate those events and send an alert notification to you.

You can use |table command to list down all your required fields in the SPL that you need in final result. 
And the alert will share you the same. When you configure the alert, it gives you option to publish results in email body as table, to attach a csv file of all events that SPL fetches.

Please share if the above resolves your issue.

Thank you

0 Karma

Miky
Explorer

Thanks again Taruchit,

So I tried using Table command to display time, host and source, but I'm not getting any result.
Any hint how to do it, please.

0 Karma

Taruchit
Contributor

Hi @Miky,

Can you please share your SPL here that you used for the alert? You can mask the business specific values like index name, source name, sourcetype and any other relevant details you do not want to share. 

I just want to understand your SPL to help you with it.

Thank you

0 Karma

Miky
Explorer

Index="a"   source="b" AND "Instantiation of bean failed;" AND "nested exception is framework"

| stats values(host)
| table _time, host, source

0 Karma

Taruchit
Contributor

 

index="a"   source="b" AND "Instantiation of bean failed;" AND "nested exception is framework"

| stats values(host) AS host BY _time, source
| table _time, host, source

 

Please see if the above gives you the desired results.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...