Alerting

set up alert

thinktanku
Explorer

Hello Team ,

 i need to set up alert when to condition meets i should get alert.
1st condition (string) - BEA-000337
2nd condition Started time is greater than 6000 ms

could you please help

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Please provide some sample events and say what fields are extracted from them.
---
If this reply helps you, Karma would be appreciated.
0 Karma

thinktanku
Explorer

here is sample event : 

########################################################################

<Error> <WebLogicServer> <BEA-000337> <[STUCK] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' has been busy for "633" seconds working on the request Version: 0, Scheduled=false, Started=true, Started time: 11600000 ms


##########################################################################

when we get stuck thread . . BEA-000337 error code will always be there but tricky part i just need to get alert only when Started time: greater than 1000000 ms

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You didn't include the fields that are extracted from this event so we may be doing this the hard way.

index=foo "BEA-000337"
| rex "Started time: (?<startedTime>\d+)"
| where startedTime > 1000000

Save this search as an alert and have the alert trigger when the number of results is not zero. 

---
If this reply helps you, Karma would be appreciated.

thinktanku
Explorer

thank you so much @  

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...