Alerting

set up alert

thinktanku
Explorer

Hello Team ,

 i need to set up alert when to condition meets i should get alert.
1st condition (string) - BEA-000337
2nd condition Started time is greater than 6000 ms

could you please help

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Please provide some sample events and say what fields are extracted from them.
---
If this reply helps you, an upvote would be appreciated.
0 Karma

thinktanku
Explorer

here is sample event : 

########################################################################

<Error> <WebLogicServer> <BEA-000337> <[STUCK] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' has been busy for "633" seconds working on the request Version: 0, Scheduled=false, Started=true, Started time: 11600000 ms


##########################################################################

when we get stuck thread . . BEA-000337 error code will always be there but tricky part i just need to get alert only when Started time: greater than 1000000 ms

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You didn't include the fields that are extracted from this event so we may be doing this the hard way.

index=foo "BEA-000337"
| rex "Started time: (?<startedTime>\d+)"
| where startedTime > 1000000

Save this search as an alert and have the alert trigger when the number of results is not zero. 

---
If this reply helps you, an upvote would be appreciated.

thinktanku
Explorer

thank you so much @  

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma