Alerting

Splunk alert to get consecutive errors from logs

ritwikva
New Member

Hello Support,

I need a query to get all the errors/exception which are occuring consecutively for more than 25 times in last 3 hours? Could you help?

Thanks
Ritwik

Tags (2)
0 Karma

woodcock
Esteemed Legend

Something like this:

sourcetype=mylogs err* OR exception | stats count by host | where count>25
0 Karma

vietlq414
Explorer

does it's true if there are some success events between error events.

0 Karma

jtrucks
Splunk Employee
Splunk Employee

Please show examples of the logs you're using - specifically show the log entries that hold the data upon which you need to search. Also, please clarify what you mean by "consecutively" in this context. Is this simply a count of > 25 times a particular error has happened within the last three hours? Is it a specific series of 25 events in a certain order?

0 Karma

ritwikva
New Member

Hello Jtrucks,

Thanks for the quick reply.

Here is an example of the log entry

May 11, 2015 3:38:30 PM org.apache.axis2.transport.http.HTTPSender sendViaPost
INFO: Unable to sendViaPost to url[http://customer.xxx.com:19100/CashCRUDWebservice/endpoints]
java.net.SocketTimeoutException: Read timed out
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:152)
at java.net.SocketInputStream.read(SocketInputStream.java:122)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
at java.io.BufferedInputStream.read(BufferedInputStream.java:254)
at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)

**** Error Mon May 11 3:40:00 PM 2015 /com/commerce/droplets/FetchStoreForCommItemDroplet InvalidParameterException

Here in the above log entry, I like to find out if any of the exception occurred more than 25 times in a 3 hour window.

0 Karma
Get Updates on the Splunk Community!

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...