How to detect events logged 15 minutes apart in ou...

mangelastro · ‎09-21-2020

We have a heartbeat service that runs every minute recording the following timestamp information:

Heartbeat: 2020-09-21T13:50:00.3031757-06:00

I'm hoping to detect events that take 15 minutes between the current timestamp and the last timestamp.

This indicates that a server restart has happened.

Basically:

Heartbeat: 2020-09-21T13:50:00.3031757-06:00 - Heartbeat: 2020-09-21T13:35:00.3031757-06:00

Does anyone know how I could record this?

Thanks

to4kawa · ‎09-21-2020

index=_internal | head 1 | fields _raw _time | eval _raw="Heartbeat: 2020-09-21T13:50:00.3031757-06:00 - Heartbeat: 2020-09-21T13:35:00.3031757-06:00"
| rex max_match=0 "Heartbeat: (?<time>\S+)"
| eval time=mvmap(time,strptime(time,"%FT%T.%7Q%:z"))
| streamstats range(time) as duration window=1
| where duration >= 900

mangelastro · ‎09-21-2020

Thanks for the information? do you know how I can determine this data based on the most recent entry and the second most recent entry?

for example

eval _raw="Heartbeat current Entry"- "Heartbeat previous entry"

Also when I try your suggestion I'm getting an eval error

Error in 'eval' command: The 'mvmap' function is unsupported or undefined.

Thanks again for your help!

How to detect events logged 15 minutes apart in our heartbeat log?

stats

timechart

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services