Alerting

How to create an email alert when the error count on a server is more than 10 occurrences in a 15 minute interval?

Contributor

Hi,

I have this simple search to find out some errors in the logs:

index=cohl source=msmq  earliest=-24h@h latest=now  "System.Data.SqlClient.SqlException: Timeout expired*" "Servername*" | xmlkv | dedup Machine | stats count by Machine

As a result of this search, I get a table which has one row listing of all the servers and another row listing the count, this count is the number of occurrences of the keyword.

I need to create an alert to send email if, in 15 minutes, the count on any of the servers is more than 10. Any idea on how to do it??

0 Karma

SplunkTrust
SplunkTrust

Have your search look back 15 minutes and in spot labeled "Trigger alert when", use the "Custom" action and add :

search count>10

If, on the other hand, you want to look back 24 hours and get a count for every 15 minutes, try

your base search | bin _time span=15m | stats count BY _time Machine | search count>10

In addition, there's no need to dedup Machine when you use stats count BY Machine

0 Karma

Contributor

I can do that, but my requirement is little bit different.

As I mentioned in my question, each server will have certain number of events and the result of my query will give the list of servers, I want to send an alert when on any of the server the number of occurrences of events is more than 10.

0 Karma

SplunkTrust
SplunkTrust

If that's the case, then the first part of my answer is what you want.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!