Alerting on unique field occurrence

mzammit · ‎07-10-2012

Hi,

I'm trying to implement a search which raises alerts based on events with unique, but as of yet unknown keys within a given timeframe. For example, if my indexer records the following six events:

11:59:10.000 Error TestClass with ID 902228 has failed with reason...
11:59:00.000 Error TestClass with ID 8767 has failed with reason...
11:34:32.000 Error TestClass with ID 653 has failed with reason...
11:31:10.000 Error TestClass with ID 902228 has failed with reason...
11:29:00.000 Error TestClass with ID 3652 has failed with reason...
11:25:20.000 Error TestClass with ID 902228 has failed with reason...

I'd like to raise an alert email in real-time for each event which has a unique ID but throttle, over say a 15 minute time period. So essentially the above event list will generate 5 alert emails i.e. 902228 generates an email at 11:25:20.000 and the following event with the same ID gets skipped and every other event generates an email (so we get 5 emails).

I've thought about/tried using a lookup but am finding it hard going trying to get the syntax right.

Is this the best way? I'd be grateful if anyone could offer some advice or a potential solution.

kallu · ‎07-11-2012

Sounds like Splunk alert throttling?
Extract TestClass ID -field, if you haven't done that already.

... | rex field=_raw "TestClass with ID (?<TestClassID>\d*)"

And now you can set throttling on TestClassID like shown in here

http://docs.splunk.com/Documentation/Splunk/latest/User/SchedulingSavedSearches#Define_alerts_that_t...

(scroll down to "Set up throttling for a per-result alert")

Alerting on unique field occurrence

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!