Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Alerting on unique field occurrence

mzammit
New Member
‎07-10-2012 11:56 PM

Hi,

I'm trying to implement a search which raises alerts based on events with unique, but as of yet unknown keys within a given timeframe.  For example, if my indexer records the following six events:

11:59:10.000 Error TestClass with ID 902228 has failed with reason... 
11:59:00.000 Error TestClass with ID 8767 has failed with reason...
11:34:32.000 Error TestClass with ID 653 has failed with reason...
11:31:10.000 Error TestClass with ID 902228 has failed with reason...
11:29:00.000 Error TestClass with ID 3652 has failed with reason...
11:25:20.000 Error TestClass with ID 902228 has failed with reason...

I'd like to raise an alert email in real-time for each event which has a unique ID but throttle, over say a 15 minute time period.  So essentially the above event list will generate 5 alert emails i.e. 902228 generates an email at 11:25:20.000 and the following event with the same ID gets skipped and every other event generates an email (so we get 5 emails).

I've thought about/tried using a lookup but am finding it hard going trying to get the syntax right.

Is this the best way?  I'd be grateful if anyone could offer some advice or a potential solution.

0 Karma
Reply

kallu
Communicator
‎07-11-2012 03:03 AM

Sounds like Splunk alert throttling?
Extract TestClass ID -field, if you haven't done that already.

... | rex field=_raw "TestClass with ID (?<TestClassID>\d*)"

And now you can set throttling on TestClassID like shown in here

http://docs.splunk.com/Documentation/Splunk/latest/User/SchedulingSavedSearches#Define_alerts_that_t...

(scroll down to "Set up throttling for a per-result alert")

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...