Re: when splunk error count is more than a number

rajs115 · ‎11-11-2021

Hi,

I have a log file in splunk which reports the errors when ever something failed. Now i need to run a splunk query if a same error show up in Splunk more than 3 times in last 1 hour. If it happens i need to send an alert.

Can someone suggest me the query with time in it?

Thanks.

PickleRick · ‎11-11-2021

Your "specification" can be interpreted in many ways 🙂

Do you just want to search for some alert and find out if it's 3 or more events? Or maybe you can have several different kinds of alerts and want to know if any single one of them occurs more than 3 times.

rajs115 · ‎11-11-2021

@PickleRick ,

"Build failed" is what i need to check in each event logs over the last 1 hour. If its repeated more than 3 times(from 3 events) in last 1 hour i need to send an alert. I hope you get my question now 🙂

Thanks.

PickleRick · ‎11-12-2021

Just do your search for "Build Failed" and trigger the alert when number of results is greater than 2. Easy.

rajs115 · ‎11-12-2021

sure @PickleRick . Thank you

when splunk error count is more than a number

alert action

alert condition

email

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Join the Conversation