Monitoring Splunk

Is my alert query is correct

uagraw01
Builder

I want to create an alert for one particular error. So what would be the exact spl i need to write? 

Error is not in the intersting field.So i used this one.

I did from my end :

index=os  source="/var/log/messages" | eval  new_error= "server is not responding"

Is the above search correct? If not then please provide me the correct one.

 

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust
Any query can become an alert. Once the search completes, click the "Save as" dropdown and select "Alert".
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

No, your search is not correct.  It fetches all events from the /var/log/messages file and creates a field in each event called "new_error".  This probably is not the goal.  

To give a working we query we must know the purpose for the alert.  What is it looking for?

Perhaps this will get you started.

index=os source="/var/log/messages" "server is not responding"
---
If this reply helps you, Karma would be appreciated.

uagraw01
Builder

@richgalloway yes i tried this also, its working. Beacuse server is generating this error after every 2 or 3 days not sure. So if you suggest, can i set this simple one query into the final alert ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Any query can become an alert. Once the search completes, click the "Save as" dropdown and select "Alert".
---
If this reply helps you, Karma would be appreciated.

anilchaithu
Builder

@uagraw01 

the SPL you mentioned won't work. Assuming "new_error" field is not available

 

index=os  source="/var/log/messages" | eval new_error= if(like(_raw,"%server is not responding%"), "Yes", "No") | where new_error="Yes"

 

 you can also use search in place of where command.

Hope this helps.

uagraw01
Builder

@anilchaithu  The mentioned SPL is not working. 

0 Karma

anilchaithu
Builder

@uagraw01 

The logic should work. Do you have events in the data with this error? If yes, the text "server is not responding" in the eval command of the logic should match as is to the event.

0 Karma

uagraw01
Builder

@anilchaithu Yes i have the event which occured 4 days ago for that error. When i run a simple search as @richgalloway suggest it capture that event. But when i used to create a field for that error as you also suggest, it is not capturing any event. 

0 Karma

uagraw01
Builder

@anilchaithu Yes this approach is also seems correct. I will try this one and let you know.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...