Splunk alert to get consecutive errors from logs

ritwikva · ‎05-11-2015

Hello Support,

I need a query to get all the errors/exception which are occuring consecutively for more than 25 times in last 3 hours? Could you help?

Thanks
Ritwik

woodcock · ‎05-19-2015

Something like this:

sourcetype=mylogs err* OR exception | stats count by host | where count>25

vietlq414 · ‎09-18-2019

does it's true if there are some success events between error events.

jtrucks · ‎05-11-2015

Please show examples of the logs you're using - specifically show the log entries that hold the data upon which you need to search. Also, please clarify what you mean by "consecutively" in this context. Is this simply a count of > 25 times a particular error has happened within the last three hours? Is it a specific series of 25 events in a certain order?

--
Jesse Trucks
Minister of Magic

ritwikva · ‎05-11-2015

Hello Jtrucks,

Thanks for the quick reply.

Here is an example of the log entry

May 11, 2015 3:38:30 PM org.apache.axis2.transport.http.HTTPSender sendViaPost
INFO: Unable to sendViaPost to url[http://customer.xxx.com:19100/CashCRUDWebservice/endpoints]
java.net.SocketTimeoutException: Read timed out
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:152)
at java.net.SocketInputStream.read(SocketInputStream.java:122)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
at java.io.BufferedInputStream.read(BufferedInputStream.java:254)
at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)

**** Error Mon May 11 3:40:00 PM 2015 /com/commerce/droplets/FetchStoreForCommItemDroplet InvalidParameterException

Here in the above log entry, I like to find out if any of the exception occurred more than 25 times in a 3 hour window.

Splunk alert to get consecutive errors from logs

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!