Re: How to create an email alert when the error co...

macadminrohit · ‎10-21-2016

Hi,

I have this simple search to find out some errors in the logs:

index=cohl source=msmq  earliest=-24h@h latest=now  "System.Data.SqlClient.SqlException: Timeout expired*" "Servername*" | xmlkv | dedup Machine | stats count by Machine

As a result of this search, I get a table which has one row listing of all the servers and another row listing the count, this count is the number of occurrences of the keyword.

I need to create an alert to send email if, in 15 minutes, the count on any of the servers is more than 10. Any idea on how to do it??

Yorokobi · ‎10-21-2016

Have your search look back 15 minutes and in spot labeled "Trigger alert when", use the "Custom" action and add :

search count>10

If, on the other hand, you want to look back 24 hours and get a count for every 15 minutes, try

your base search | bin _time span=15m | stats count BY _time Machine | search count>10

In addition, there's no need to dedup Machine when you use stats count BY Machine

macadminrohit · ‎10-24-2016

I can do that, but my requirement is little bit different.

As I mentioned in my question, each server will have certain number of events and the result of my query will give the list of servers, I want to send an alert when on any of the server the number of occurrences of events is more than 10.

Yorokobi · ‎10-24-2016

If that's the case, then the first part of my answer is what you want.

How to create an email alert when the error count on a server is more than 10 occurrences in a 15 minute interval?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!