Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alerting on unique field occurrence

mzammit
New Member
‎07-10-2012 11:56 PM

Hi,

I'm trying to implement a search which raises alerts based on events with unique, but as of yet unknown keys within a given timeframe.  For example, if my indexer records the following six events:

11:59:10.000 Error TestClass with ID 902228 has failed with reason... 
11:59:00.000 Error TestClass with ID 8767 has failed with reason...
11:34:32.000 Error TestClass with ID 653 has failed with reason...
11:31:10.000 Error TestClass with ID 902228 has failed with reason...
11:29:00.000 Error TestClass with ID 3652 has failed with reason...
11:25:20.000 Error TestClass with ID 902228 has failed with reason...

I'd like to raise an alert email in real-time for each event which has a unique ID but throttle, over say a 15 minute time period.  So essentially the above event list will generate 5 alert emails i.e. 902228 generates an email at 11:25:20.000 and the following event with the same ID gets skipped and every other event generates an email (so we get 5 emails).

I've thought about/tried using a lookup but am finding it hard going trying to get the syntax right.

Is this the best way?  I'd be grateful if anyone could offer some advice or a potential solution.

0 Karma
Reply

kallu
Communicator
‎07-11-2012 03:03 AM

Sounds like Splunk alert throttling?
Extract TestClass ID -field, if you haven't done that already.

... | rex field=_raw "TestClass with ID (?<TestClassID>\d*)"

And now you can set throttling on TestClassID like shown in here

http://docs.splunk.com/Documentation/Splunk/latest/User/SchedulingSavedSearches#Define_alerts_that_t...

(scroll down to "Set up throttling for a per-result alert")

Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...