Hi Team,
Usually the keyword "College Begins" would be repeated nearly 4 times in a minute in logs.
So i want to schedule an alert and email i.e. if the keyword " College Begins" is not there in the log for last 5 minutes. So my index=abc and host=def source=ijk
So i want the query to trigger an alert if the keyword College begins is not present in the logs.
Sample Logs:
2019-07-21 03:26:44,371|INFO|[1]|Name=XYZ|CollegeId=|College Begins
2019-07-22 05:30:48,761|DEBUG|[1]|Name=Ant|CollegeId=|College Ends
2019-07-22 05:30:48,761|DEBUG|[1]|Name=Ant|CollegeId=|College done
Try this:
index=<You should always specify an index> AND sourcetype=<And sourcetype too> "College begins"
| streamstats window=2 range(_time) pause_seconds
| eval pause_seconds=coalesce(pause_seconds, now() - _time)
| where pause_seconds > (5 * 60)
try this:
index=abc and host=def source=ijk ... "College Begins" | stats count
every 5 minutes
alert if count = 0
note, to make sure you dont miss anything, might be better to do something like this:
earliest = -7m@m latest=-2m@m ... rest of your search
hope it helps