- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Splunkers
I have an IIS log I need to open and search through every 15 minutes. If I see 10 consecutive occurences of the field ErorrCode= within a five minute period I want to trigger an alert.
ErrorCode= Will be populated with different error codes like this ErrorCode=T1234. I dont want to count individual error codes just the field ErrorCode. I have been able to seach for occurences using alerts but the requirement if that they have to be consecutive occurences.
Here is an example snippet ErrorCode can return several different values. We dont care about the individual codes we just want to trigger when the term ErrorCode appears in 10 consecutive lines of the log during a time window of 5 minutes
LogTypeID="x", InfoSourceID="x", ErrorText="xxxxxxxx", ErrorCode="XXXXXX", ErrorDescription="xxxxxxxx", IISServerName="xxxxxx", CreatedDate="2020-08-14 10:19:34.557", CreatedBy="xxxxxx", MemberShipID="xxxxxx", RegisterRequestTime="2020-08-14 10:16:06.0", AppCode="xxxxxx", InvalidAppCode="xxxxxx,"
any help would be appreciated
thanks
John
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this. It will trigger an alert when there are 10 or more consecutive errors, but will not return the individual events.
index = foo
| bin span=5m _time
| streamstats reset_after=(isnull(ErrorCode)) count
| where (count >= 10 AND isnotnull(ErrorCode))
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this. It will trigger an alert when there are 10 or more consecutive errors, but will not return the individual events.
index = foo
| bin span=5m _time
| streamstats reset_after=(isnull(ErrorCode)) count
| where (count >= 10 AND isnotnull(ErrorCode))
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
by clause is missing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks to4kawa on what answer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks will test this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@irishmanjb
index=abc ErrorCode=* |bin span=5m _time | stats count by ErrorCode,_time|where count>=10
Try above query. It should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the event doesn't have ErrorCode, this query can't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
streamstats has time_window option.
but there is not the detail of consecutive occurrences .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks will take a look