Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set up an alert if an ack message is not available for a particular req?

prashanthberam
Explorer
‎03-13-2017 11:24 AM

Hi,
i have messages like this how to setup an alert if ack message is not available in the logs for particular req.
and between req and rsp is more than 30 sec i need to setup an one more alert.

my logs like this:

2017-03-10 15:56:42.056 [WMQJCAResourceAdapter : 1] [INFO ] [DCN 0201706380692310C] SplunkLog - CorrelationID=000001806003698150190841, DCN=0201706380692310C, TransactionTimestamp=2017-03-10 15:56:37.742, GroupNumber =000Y69HB3, ServiceLinecount=4, SectionNumber=0008, CorporateEntityCode=OK1, ClaimType=0, VendorName=VERSCEND, VendorCode=CVP, TransactionCode=RSP, UtilizationAmount=3.75

2017-03-10 15:56:39.003 [WMQJCAResourceAdapter : 6] [INFO ] [DCN 0201706380692310C] SplunkLog - CorrelationID=000001806003698150190841, DCN=0201706380692310C, TransactionTimestamp=2017-03-10 15:56:39.002, GroupNumber =000Y69HB3, ServiceLinecount=4, SectionNumber=0008, CorporateEntityCode=OK1, ClaimType=0, VendorName=VERSCEND, VendorCode=CVP, TransactionCode=ACK, OutCome=C, Messagetext=ACCEPTED

2017-03-10 15:56:36.939 [WMQJCAResourceAdapter : 1] [INFO ] [DCN 0201706380692310C] SplunkLog - CorrelationID=000001806003698150190841, DCN=0201706380692310C, TransactionTimestamp=2017-03-10 15:56:36.939, GroupNumber =000Y69HB3, ServiceLinecount=4, SectionNumber=0008, CorporateEntityCode=OK1, ClaimType=0, VendorName=VERSCEND, VendorCode=CVP, TransactionCode=REQ
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-13-2017 11:36 AM

Assuming there is a unique transaction ID available in log for each req-ack-rsp combination, you could do like this (assuming CorrelationID is the unique identifier, if there are multiple columns add them to stats's by clause)

Updated mv funtion

Alert when there is no ACK event for a transaction

your base search fetching all records
| stats min(_time) as StartTime  max(_time) as EndTime values(TransactionCode) as TransactionCodes by CorrelationID
| eval _time=StartTime | where isnull(mvfilter(match(TransactionCodes,"ACK")))

Alert when transaction duration is more than 30 sec

your base search fetching all records
| stats min(_time) as StartTime  max(_time) as EndTime values(TransactionCode) as TransactionCodes by CorrelationID
| eval _time=StartTime  | eval duration=EndTime-StartTime | where mvcount(TransactionCodes)=3 AND duration>30

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-13-2017 11:36 AM

Assuming there is a unique transaction ID available in log for each req-ack-rsp combination, you could do like this (assuming CorrelationID is the unique identifier, if there are multiple columns add them to stats's by clause)

Updated mv funtion

Alert when there is no ACK event for a transaction

your base search fetching all records
| stats min(_time) as StartTime  max(_time) as EndTime values(TransactionCode) as TransactionCodes by CorrelationID
| eval _time=StartTime | where isnull(mvfilter(match(TransactionCodes,"ACK")))

Alert when transaction duration is more than 30 sec

your base search fetching all records
| stats min(_time) as StartTime  max(_time) as EndTime values(TransactionCode) as TransactionCodes by CorrelationID
| eval _time=StartTime  | eval duration=EndTime-StartTime | where mvcount(TransactionCodes)=3 AND duration>30
0 Karma
Reply
Solved! Jump to solution

prashanthberam
Explorer
‎03-13-2017 11:54 AM

while am searching first query am getting this Error in 'where' command: The arguments to the 'mvfind' function are invalid. what it means. may i know the reason.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-13-2017 12:03 PM

Oops. Used wrong function. Just updated the query to use correct function.

0 Karma
Reply
Solved! Jump to solution

prashanthberam
Explorer
‎03-13-2017 12:13 PM

Thanks for the help Somesoni2 . Now it's working ..

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-13-2017 11:33 AM

Like this:

Your Base Search Here | stats count list(_time) AS times range(_time) AS duration list(TransactionCode) AS TransactionCode BY  CorrelationID | search TransactionCode="REQ" AND NOT TransactionCode="ACK"

And this:

Your Base Search Here | stats count list(_time) AS times range(_time) AS duration list(TransactionCode) AS TransactionCode BY CorrelationID | search duration > 30 AND TransactionCode="REQ" AND TransactionCode="RSP"
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-13-2017 11:55 AM

I am done editing; sorry for the churn; I did not notice the 2nd part of the question.

0 Karma
Reply
Solved! Jump to solution

prashanthberam
Explorer
‎03-13-2017 11:59 AM

ohh Np woodcock. thanks for helping.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-13-2017 12:06 PM

I lied; I had an extra NOT in my 2nd answer. It is all good now.

0 Karma
Reply
Solved! Jump to solution

prashanthberam
Explorer
‎03-13-2017 12:14 PM

ya i haven't noticed that one. thanks woodcock

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
li.common.scroll-to.top