Re: Heartbeat check

metylkinandrey · ‎09-01-2022

Good afternoon!
I have six Heartbeat messages coming from the system. All messages from the chain are connected by one: "srcMsgId". Messages have a certain interval, if the interval between messages is higher, that is, one message in a chain (out of six messages) is late, say six seconds (the normal interval is five seconds), then an alarm is triggered. Can you tell me how to do it?
I tried something like this but it's not exactly what you need:

index="bl_logging" sourcetype="testsystem-2" srcMsgId="rwfsdfsfqwe121432gsgsfgd80"

| transaction maxpause=5m srcMsgId Correlation_srcMsgId messageId

| table _time srcMsgId Correlation_srcMsgId messageId duration eventcount

| sort srcMsgId _time

| streamstats current=f window=1 values(_time) as prevTime by subject

| eval timeDiff=_time-prevTime

| delta _time as timediff

| where (timediff)>6

This will only show me the lagging message.

Messages arrive one after another, so we can see their interval and, in theory, take this opportunity to create an alarm when the interval is increased.

Please tell me how can I do this.
Alas I don't selenium in splunk.

gcusello · ‎09-01-2022

HI @metylkinandrey,

please try something like this:

index="bl_logging" sourcetype="testsystem-2" srcMsgId="rwfsdfsfqwe121432gsgsfgd80"
| transaction maxevents=2 srcMsgId Correlation_srcMsgId messageId
| where duration>5
| table _time srcMsgId Correlation_srcMsgId messageId duration eventcount

Ciao.

Giuseppe

Help with Heartbeat check

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation