Hi Splunk Gurus!!!
I have the below query in my environment to find out the seconds it took for the job to complete/not complete.
"Ping to url [/services/Queue/ProcessDius] took" AND "seconds and resulted in status code NoContent"| rex field=_raw "took (?.*) seconds"|where ProcessTime > 60
what i am trying to achieve is that,i wanna create an alert if possible, where the processtime is greater than 60seconds and it happens more than 6 times in 5 minute span.
Thank you for all your help in advance.
you will probably want to use streamstats
and time_window
read here more:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/streamstats
something like this:
... your search so far ... | sort - _time | streamstats time_window=5m count as high_count_in_five_minutes | where high_count_in_five_minutes >=6
try this search anywhere to better understand how it works:
| gentimes start=-1 increment=30s
| head 100
| eval _time = starttime
| eval value = random()%100
| where value > 60
| table _time value
| sort _time
| streamstats time_window=5m count as high_count_in_five_minutes
here is another slightly different approach:
| gentimes start=-1 increment=30s
| head 100
| eval _time = starttime
| eval value = random()%100
| table _time value
| sort _time
| eval bad = if(value > 60,1,0)
| where bad = 1
| streamstats time_window=5m count(bad) as bad_count
hope it helps