Re: when splunk error count is more than a number

rajs115 · ‎11-11-2021

Hi,

I have a log file in splunk which reports the errors when ever something failed. Now i need to run a splunk query if a same error show up in Splunk more than 3 times in last 1 hour. If it happens i need to send an alert.

Can someone suggest me the query with time in it?

Thanks.

PickleRick · ‎11-11-2021

Your "specification" can be interpreted in many ways 🙂

Do you just want to search for some alert and find out if it's 3 or more events? Or maybe you can have several different kinds of alerts and want to know if any single one of them occurs more than 3 times.

rajs115 · ‎11-11-2021

@PickleRick ,

"Build failed" is what i need to check in each event logs over the last 1 hour. If its repeated more than 3 times(from 3 events) in last 1 hour i need to send an alert. I hope you get my question now 🙂

Thanks.

PickleRick · ‎11-12-2021

Just do your search for "Build Failed" and trigger the alert when number of results is greater than 2. Easy.

rajs115 · ‎11-12-2021

sure @PickleRick . Thank you

when splunk error count is more than a number

alert action

alert condition

email

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?