Alerting
Highlighted

How to create an email alert when the error count on a server is more than 10 occurrences in a 15 minute interval?

Contributor

Hi,

I have this simple search to find out some errors in the logs:

index=cohl source=msmq  earliest=-24h@h latest=now  "System.Data.SqlClient.SqlException: Timeout expired*" "Servername*" | xmlkv | dedup Machine | stats count by Machine

As a result of this search, I get a table which has one row listing of all the servers and another row listing the count, this count is the number of occurrences of the keyword.

I need to create an alert to send email if, in 15 minutes, the count on any of the servers is more than 10. Any idea on how to do it??

0 Karma
Highlighted

Re: How to create an email alert when the error count on a server is more than 10 occurrences in a 15 minute interval?

SplunkTrust
SplunkTrust

Have your search look back 15 minutes and in spot labeled "Trigger alert when", use the "Custom" action and add :

search count>10

If, on the other hand, you want to look back 24 hours and get a count for every 15 minutes, try

your base search | bin _time span=15m | stats count BY _time Machine | search count>10

In addition, there's no need to dedup Machine when you use stats count BY Machine

0 Karma
Highlighted

Re: How to create an email alert when the error count on a server is more than 10 occurrences in a 15 minute interval?

Contributor

I can do that, but my requirement is little bit different.

As I mentioned in my question, each server will have certain number of events and the result of my query will give the list of servers, I want to send an alert when on any of the server the number of occurrences of events is more than 10.

0 Karma
Highlighted

Re: How to create an email alert when the error count on a server is more than 10 occurrences in a 15 minute interval?

SplunkTrust
SplunkTrust

If that's the case, then the first part of my answer is what you want.

0 Karma