I have a lookup csv file which contains for each error code:
I would like to have a real-time search with a rolling window of the past day e.g.
That search will display as a list:
That list should not display distinct errors.
Every time an error exceeds its limits, it must be included in the result.
I have configured properly the lookup source and I am able to use it in searches.
I have trouble in creating the syntax of the search that it will produce the above result as I am new in using Splunk.
Any help would be highly appreciated.
Having a hard time understanding the outcome you are looking for. Is this a crude sample of your lookup table? do you want the search to use the interval as a earliest= or latest= only if the threshold is surpassed?
Yes, sample lookup table is correct.
Apologies but I didn't understand about Search using interval as earliest or latest, can you please clarify?
I want to build a functionality for a support engineer that he will be able to see the errors as they are happening and limits are exceeding.
error that has exceeded its limits (interval and threshold)
sourcetype=error_codes earliest=rt-24h latest=rt err404 |where interval>intervalValue AND threshold>threshholdValue |table _time someadditionalfield
IntervalValue and thresholdValue exist in the lookup table
Thank you very much for the answer but I believe this is not going to work as the log files have different errors where for some of the errors (as not every error should be monitored) each one of them has different interval and threshold in the lookup table. I know that it is confusing as when the starting point is always rolling but realistically I am actually interested in the snapshot of the events from rt and backwards. Not really interested if the snapshot close to rt-24h (e.g. -23h55m) "is not accurate" compared to what I was monitoring 2m before
Also, please keep in mind that the interval will realistically make sure that the results are "normalised" as they age out and most of the time constant results (but most of all, meaningful to assist the support engineer) will keep being displayed as the time window rolls.
You can specify time modifiers in-line with earliest= and latest= . like I did below.