Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trigger Alert on 10 consecutive occurrences of ErrorCode=

irishmanjb
Path Finder
‎08-15-2020 07:21 AM

Hello Splunkers

I have an IIS log I need to open and search through every 15 minutes. If I see 10 consecutive occurences of the field ErorrCode= within a five minute period I want to trigger an alert.

ErrorCode=  Will be populated with different error codes like this ErrorCode=T1234.  I dont want to count individual error codes just the field ErrorCode.  I have been able to seach for occurences using alerts but the requirement if that they have to be consecutive occurences.

 

Here is an example snippet  ErrorCode can return several different values.  We dont care about the individual codes we just want to trigger when  the term ErrorCode appears in 10 consecutive lines of the log during a time window of 5 minutes

LogTypeID="x", InfoSourceID="x", ErrorText="xxxxxxxx", ErrorCode="XXXXXX", ErrorDescription="xxxxxxxx", IISServerName="xxxxxx", CreatedDate="2020-08-14 10:19:34.557", CreatedBy="xxxxxx", MemberShipID="xxxxxx", RegisterRequestTime="2020-08-14 10:16:06.0", AppCode="xxxxxx", InvalidAppCode="xxxxxx,"

 

any help would be appreciated

thanks

John

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-16-2020 09:29 AM

Try this.  It will trigger an alert when there are 10 or more consecutive errors, but will not return the individual events.

index = foo
| bin span=5m _time
| streamstats reset_after=(isnull(ErrorCode)) count
| where (count >= 10 AND isnotnull(ErrorCode))
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-16-2020 09:29 AM

Try this.  It will trigger an alert when there are 10 or more consecutive errors, but will not return the individual events.

index = foo
| bin span=5m _time
| streamstats reset_after=(isnull(ErrorCode)) count
| where (count >= 10 AND isnotnull(ErrorCode))
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

irishmanjb
Path Finder
‎08-25-2020 08:27 AM

sorry for the delay this set me down the right path thanks!

Tags (1)
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎08-16-2020 04:12 PM

by clause is missing.

0 Karma
Reply
Solved! Jump to solution

irishmanjb
Path Finder
‎08-16-2020 05:04 PM

thanks to4kawa on what answer?

0 Karma
Reply
Solved! Jump to solution

irishmanjb
Path Finder
‎08-16-2020 01:20 PM

thanks will test this.

0 Karma
Reply
Solved! Jump to solution

venkateshparank
Path Finder
‎08-16-2020 01:00 AM

@irishmanjb 
index=abc ErrorCode=* |bin span=5m _time | stats count by ErrorCode,_time|where count>=10

Try above query. It should work.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎08-16-2020 04:13 PM

If the event doesn't have ErrorCode, this query can't work.

Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎08-15-2020 09:48 PM

streamstats has time_window option.
but there is not the detail of consecutive occurrences .

0 Karma
Reply
Solved! Jump to solution

irishmanjb
Path Finder
‎08-16-2020 07:51 AM

thanks will take a look

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...