Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to detect message rate drop off using real-time queries

gregbujak
Path Finder
‎12-17-2010 04:16 PM

In the context of heartbeat message detection, I would like to detect when these heartbeats stop.

ex.

  • t0: 12/17/2010 10:44:30 heartbeat=systemX
  • t0: 12/17/2010 10:44:30 heartbeat=systemY
  • t1: 12/17/2010 10:44:35 heartbeat=systemX
  • t1: 12/17/2010 10:44:35 heartbeat=systemY
  • t2: 12/17/2010 10:44:40 heartbeat=systemX
  • t2: 12/17/2010 10:44:40 heartbeat=systemY
  • t3: 12/17/2010 10:44:45 heartbeat=systemX
  • t4: 12/17/2010 10:44:50 heartbeat=systemX
  • t5: 12/17/2010 10:44:55 heartbeat=systemX

Fact list:

  1. 2 systems are up and running
  2. t1, the count for each is greater then 0 for the last 10 second interval - all good
  3. t5 the count = 0 for an interval of 10s for systemY.

I would like to publish a message saying the count=0 for systemY with the understanding that it was absent for the last 10 second sampling rate.

I know how to sample the count for an interval of 10s, but the problem is that if the count=0, you have no events to work with. So it needs to be correlated to an outer query based on the heartbeat. Any help would be appreciated.

Tags (1)
0 Karma
Reply

TheGU
Path Finder
‎12-19-2010 04:42 PM

Assume that you already extract heartbeat=* to a field name "heartbeat" Try : set time to realtime 15s windows

sourcetype="heartbeatlog" | stats count by heartbeat | where count < 2
0 Karma
Reply

gregbujak
Path Finder
‎12-20-2010 05:09 PM

Thanks for the suggestion, the problem is that I need the event to be emitted when the count=0. With the above solution, it means that the event will be emitted only when the count is 1. When count = 0, it means there are no events for that heartbeat type and the event will disappear, leaving the user thinking that the heartbeat drop off has ended. I think it needs to be correlated against a greater time span, where the event does exist.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...

Application management with Targeted Application Install for Victoria Experience

Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...