Splunk search query retrieves logs from the specified index, host, and sourcetype, filtering them based on various fields such as APPNAME, event, httpMethod, and loggerName. It then deduplicates the events based on the INTERFACE_NAME field and calculates the count of remaining unique events.
Splunk alert monitors the iSell application's request activity logs, specifically looking for cases where no data is processed within the last 30 minutes. If fewer than 2 unique events are found, the alert triggers once, notifying the appropriate parties.
From our end records are processed successfully and we provide the condition to trigger an INC count less than 2
we are getting more than one successful events even alert get triggering and getting INC
Please check why we are getting false alert and suggest us
index=*core host=* sourcetype=app_log APPNAME=iSell event=requestActivity httpMethod=POST loggerName="c.a.i.p.a.a.a.StreamingActor" | dedup INTERFACE_NAME| stats count
