I want a query to find the unusual exceptions with in a span of one hour. Means it should be compared with the previous logs and determine whether it is not a regular exception or a new exception, that may cause a problem to the application. And can i automate this, which should run in regular intervals
I see the question as how do I find exceptions that have not happened before?
There are a number of ways of doing this kind of task. I would build a lookup of all previously seen exception types and then only alert on those that we have not previously seen.
In this case, I'd possibly even keep other data about the source of the exception, such as the component or time that it occurred.
What i mean to say is , maintaining look up for all the exceptions which are already happened is very tedious job.Any way we have the logs which are saved, My idea is compare the logs of last one hour with the last 7 or 30 days and need to find the unseen exceptions.
So what I mean is schedule Splunk to build the lookup for you. Does that work? You can use the results of a search as a lookup. You can also use
|inputlookup append=t name_of_your_lookup to merge in any previous results