How to detect events logged 15 minutes apart in ou...

mangelastro · ‎09-21-2020

We have a heartbeat service that runs every minute recording the following timestamp information:

Heartbeat: 2020-09-21T13:50:00.3031757-06:00

I'm hoping to detect events that take 15 minutes between the current timestamp and the last timestamp.

This indicates that a server restart has happened.

Basically:

Heartbeat: 2020-09-21T13:50:00.3031757-06:00 - Heartbeat: 2020-09-21T13:35:00.3031757-06:00

Does anyone know how I could record this?

Thanks

to4kawa · ‎09-21-2020

index=_internal | head 1 | fields _raw _time | eval _raw="Heartbeat: 2020-09-21T13:50:00.3031757-06:00 - Heartbeat: 2020-09-21T13:35:00.3031757-06:00"
| rex max_match=0 "Heartbeat: (?<time>\S+)"
| eval time=mvmap(time,strptime(time,"%FT%T.%7Q%:z"))
| streamstats range(time) as duration window=1
| where duration >= 900

mangelastro · ‎09-21-2020

Thanks for the information? do you know how I can determine this data based on the most recent entry and the second most recent entry?

for example

eval _raw="Heartbeat current Entry"- "Heartbeat previous entry"

Also when I try your suggestion I'm getting an eval error

Error in 'eval' command: The 'mvmap' function is unsupported or undefined.

Thanks again for your help!

How to detect events logged 15 minutes apart in our heartbeat log?

stats

timechart

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?