Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Generating alert based on condition

Ashutosh_30
Loves-to-Learn
‎08-04-2021 03:20 AM

Hi All ,

i have configured alerts for the search below:

index="ebs_red_0" host="dev-obiee-ux0*" source="/obiee_12c/app/oracle/product/12212/user_projects/domains/bi/nodemanager/nodemanager.log" "waiting for the process to die"

Output :

8/3/21
9:38:11.000 AM		dev-obiee-ux08The server 'obips2' with process id 12714242 is no longer alive; waiting for the process to die.obips2obiee:nodemanager:logAug 3, 2021 5:38:11 AM EDT

 

but sometimes when my server process dies it restarts automatically within a 60 seconds which can be described as :

index="ebs_red_0" host="dev-obiee-ux0*" source="/obiee_12c/app/oracle/product/12212/user_projects/domains/bi/nodemanager/nodemanager.log" "is running now"

Output : 

8/3/21
9:39:27.000 AM		dev-obiee-ux08The server 'obis2' is running now.obis2obiee:nodemanager:logAug 3, 2021 5:39:27 AM EDT

 

So i want to write the search query in a way so that i generate alert only if the server process dies and doesn't come up again within 120 seconds.


the five fields used in the search are :

_time, host ,Message ,OBIEE_Comp, sourcetype ,time

 

and to generate the alert the OBIEE_Comp needs to be same 


Labels (1)
Labels
0 Karma
Reply

Ashutosh_30
Loves-to-Learn
‎08-11-2021 12:57 AM

This works but the problem is i'm getting all the results in single row.
for this :
index="ebs_red_0" host="dev-obiee-ux0*" source="/obiee_12c/app/oracle/product/12212/user_projects/domains/bi/nodemanager/nodemanager.log" "Server was killed" OR "waiting for the process to die"
| stats earliest(_time) as _time,values(time) as time,values(host) as host, values(Message) as Message, values(OBIEE_Comp) as OBIEE_Comp , values(sourcetype) as sourcetype, range(_time) as time_gap | where time_gap > 120 | table time, host ,Message ,OBIEE_Comp, sourcetype ,time_gap

Ashutosh_30_0-1628668603893.png


i want to get every record in a separate row




0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎08-04-2021 03:54 AM

Hi @Ashutosh_30 

Try this and schedule it for every 5 mins,

index="ebs_red_0" host="dev-obiee-ux0*" source="/obiee_12c/app/oracle/product/12212/user_projects/domains/bi/nodemanager/nodemanager.log" "waiting for the process to die" OR "is running now"
| stats earliest(_time) as time, values(Message) as message, values(OBIEE_Comp) as OBIEE_Comp , values(sourcetype) as sourcetype, range(_time) as time_gap
| where time_gap > 120
| table _time, host ,Message ,OBIEE_Comp, sourcetype ,time_gap

 

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...