How do I get Splunk to generate an alert for multi...

Magnus_001 · ‎09-02-2022

Hello,

I am trying to monitor an application log and have Splunk generate an alert only when the service_status = "disconnected" and service_status="connected" entries are logged and the time between the two is greater than the span of 10 seconds OR if the Service_status = "disconnected" is the only entry being logged. I've been experimenting with the transaction command but I am not getting the desired results. Thanks in advance for any help with this.

Example log entries:

--- service is okay, do not generate an alert.---

9/2/2022 00:10:36.683 service_status = "disconnected"

9/2/2022 00:10:38.236 service_status="connected"

--- service is down, generate an alert.---

9/2/2022 00:10:40.683 service_status = "disconnected"

9/2/2022 00:10:51.736 service_status="connected"

--- service is down, service_status="connected" event is missing, generate an alert.---

9/2/2022 01:15:15.603 service_status = "disconnected"

gcusello · ‎09-02-2022

Hi @Magnus_001,

you could use the transaction command but it's a very slow command, so I hint a different approach:

index=your_index (service_status="disconnected" OR service_status="connected")
| bin span=10s _time
| stats dc(service_status) AS service_status_count values(service_status) AS service_status BY _time
| where service_status_count=1 AND service_status="disconnected"

Ciao.

Giuseppe

How do I get Splunk to generate an alert for multiple conditions?

alert condition

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Are you a member of the Splunk Community?