How to get events based on a repeated log

alejandrom_e · ‎08-16-2019

Hello,

I have a trace of events that we're logging as a JSON, correlated by an id field An example:

Event:

{
    "log": "{
        data of the current request
    }",
    "level": "INFO",
    "message": "message that it's repeated",
    "id": "an-uuid"
}

For the same ID, something like this can happen:

Log 1:

{
    "log": "{
        data of the current request
    }",
    "level": "INFO",
    "message": "message that it's repeated",
    "id": "an-uuid"
}

Log 2:

{
    "log": "{
        data of the current request
    }",
    "level": "INFO",
    "message": "message that it's repeated",
    "id": "an-uuid"
}

Log 3:

{
    "log": "{
        data of the current request
    }",
    "level": "INFO",
    "message": "message that it's repeated",
    "id": "an-uuid"
}

Log 4:

{
    "log": "{
        data of the current request
    }",
    "level": "INFO",
    "message": "another message",
    "id": "another-uuid"
}

I need to get those events that got the message field with the text "message that it's repeated" three times in a row. The timing is spaced by roughly 20 seconds between each log that contains that message.The result I'm expecting is only getting their IDs. Nothing else

That scenario represents a service call that we're retrying, but it's not happening in all the scenarios. I need to retrieve the id of those events.

I'm able to match the events that contains the message, but I didn't figure it out how to filter that dataset and I didn't find anything that help me with this so far.

Could you shed some light on this?

Thanks in advance!

woodcock · ‎08-16-2019

Like this:

... | streamstats time_window=20 count(eval(message="message that it's repeated")) AS repeated_count BY id
| where repeated_count >= 3

How to get events based on a repeated log

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!