Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

How to create an alert threshold for value by count (current search gives error "Application.errorMessage)?

trever
New Member
โ€Ž05-26-2020 12:56 PM

I have a search using timechart count by [value] and I'd like to set up an alert for when any of the values reach more than 25 results in 30 minutes.

Search:

index=[redacted] ...
| rex field=message "responseCode : (?<response>.*),"
| rex field=message "errorMessageKey : (?<response>.*),"
| timechart span=30m count by response usenull=f useother=f

The response comes back like Application.errorMessage simple and short string.

How can I achieve this?

0 Karma
Reply