Solved: Bucket/Group Result

mugilbala · ‎06-13-2018

I have following log statements.

2018-06-11 22:31:32,621 GMT DEBUG (EJB default - 148|E:IMS-RMIG-215079116505-1642-108832|R:jEbq7qvVjp9-M7hA) {I:221307272} Receiving the following https response (182ms from https://host/json/submitRequest/migrate/add HTTP/1.1 429 Too Many Requests Server: Apache-Coyote/1.1 Connection: close X-Request-Id: 41000476-69e2-4e90-6df1-845f0ee87123 Date: Mon, 11 Jun 2018 22:31:32 GMT Via: 1.1 CodeBig Content-Length: 317 Content-Type: application/json;charset=UTF-8 {"validationMessages":[{"text":"transactions will not be processed, please retry during normal hours","code":12346578}],"code":"100000","message":"VALIDATION FAILURE","timestamp":1528756292593,"status":"TOO_MANY_REQUESTS"}
2018-06-11 22:25:57,164 GMT DEBUG (EJB default - 137|E:IMS-RMIG-238112023408-1644-114290|R:V0ZMfavVCp98_bjx) {I:221304380} Receiving the following https response (145ms from https://host/json/submitRequest/migrate/add HTTP/1.1 429 Too Many Requests Server: Apache-Coyote/1.1 Connection: close X-Request-Id: 89297b0a-c022-4d4c-562f-3c91ab8c90c1 Date: Mon, 11 Jun 2018 22:25:57 GMT Via: 1.1 CodeBig Content-Length: 317 Content-Type: application/json;charset=UTF-8 {"validationMessages":[{"text":"transactions will not be processed, please retry during normal hours","code":12346578}],"code":"100000","message":"VALIDATION FAILURE","timestamp":1528755957107,"status":"TOO_MANY_REQUESTS"}
2018-06-11 22:25:41,533 GMT DEBUG (EJB default - 162|E:IMS-RMIG-215083505601-1642-106732|R:8UbCk6vVkZ98trjh) {I:221304335} Receiving the following https response (267ms from https://host/json/submitRequest/migrate/add HTTP/1.1 429 Too Many Requests Server: Apache-Coyote/1.1 Connection: close X-Request-Id: 5ba8bb08-f939-4fb2-5ad5-3786f8cbe821 Date: Mon, 11 Jun 2018 22:25:41 GMT Via: 1.1 CodeBig Content-Length: 317 Content-Type: application/json;charset=UTF-8 {"validationMessages":[{"text":"transactions will not be processed, please retry during normal hours","code":12346578}],"code":"100000","message":"VALIDATION FAILURE","timestamp":1528755941489,"status":"TOO_MANY_REQUESTS"}

Need to find if there was more than 1 request sent to this url "https://host/json/submitRequest/migrate/add" per second.
We can use the timestamp of splunk log (2018-06-11 22:25:41,533) or timestamp mentioned in response (timestamp":1528755941489).

Can you please help me with formulating the query?

somesoni2 · ‎06-13-2018

Try like this

index=foo sourcetype=bar..other base search criteria..  "https://host/json/submitRequest/migrate/add"
| timechart span=1s count
| where count>1

Above should give you list of all timestamp (granularity to seconds) where count of events was more than 1. If you want to setup an alert, you can use the above search and use alert condition as "when number of events > 0"

View solution in original post

somesoni2 · ‎06-13-2018

Try like this

index=foo sourcetype=bar..other base search criteria..  "https://host/json/submitRequest/migrate/add"
| timechart span=1s count
| where count>1

Above should give you list of all timestamp (granularity to seconds) where count of events was more than 1. If you want to setup an alert, you can use the above search and use alert condition as "when number of events > 0"

mugilbala · ‎06-14-2018

Thank you.

Bucket/Group Result

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation