How to detect events logged 15 minutes apart in ou...

mangelastro · ‎09-21-2020

We have a heartbeat service that runs every minute recording the following timestamp information:

Heartbeat: 2020-09-21T13:50:00.3031757-06:00

I'm hoping to detect events that take 15 minutes between the current timestamp and the last timestamp.

This indicates that a server restart has happened.

Basically:

Heartbeat: 2020-09-21T13:50:00.3031757-06:00 - Heartbeat: 2020-09-21T13:35:00.3031757-06:00

Does anyone know how I could record this?

Thanks

to4kawa · ‎09-21-2020

index=_internal | head 1 | fields _raw _time | eval _raw="Heartbeat: 2020-09-21T13:50:00.3031757-06:00 - Heartbeat: 2020-09-21T13:35:00.3031757-06:00"
| rex max_match=0 "Heartbeat: (?<time>\S+)"
| eval time=mvmap(time,strptime(time,"%FT%T.%7Q%:z"))
| streamstats range(time) as duration window=1
| where duration >= 900

mangelastro · ‎09-21-2020

Thanks for the information? do you know how I can determine this data based on the most recent entry and the second most recent entry?

for example

eval _raw="Heartbeat current Entry"- "Heartbeat previous entry"

Also when I try your suggestion I'm getting an eval error

Error in 'eval' command: The 'mvmap' function is unsupported or undefined.

Thanks again for your help!

How to detect events logged 15 minutes apart in our heartbeat log?

stats

timechart

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)