I'm using timechart to produce two rows for two bl...

jospina2 · ‎07-27-2018

Hello,
I set up an alert to search for an error message that appears in one my windows application. Time-wise I set it up to search the last 10 minutes only.

SourceName="My Web Client" Message="My Error Message" earliest=-11m@m latest=-1m@m
| timechart span=5m count values() BY source

Which produces this result (see image) :

This almost works for what I want. But, I want this to trigger an email to me only if the second row's count is = 0. Right now it alerts regardless of any number, including 0.

How do I declare that row2's count must be 0? row1 is allowed to be any count number it wants, but row2 must be 0, otherwise I do not want the alert to trigger.

Thanks,
Jeff

somesoni2 · ‎07-27-2018

Try this

SourceName="My Web Client" Message="My Error Message" earliest=-11m@m latest=-1m@m 
| timechart span=5m count values() BY source
| eventstats list(count*) as list* | eval shouldAlert="No"
| foreach list* [| eval shouldAlert=if(mvindex('<<FIELD>>',1)==0,"Yes",shouldAlert) ]
| where shouldAlert="Yes"

jospina2 · ‎07-27-2018

Hello,

Line 3 was hepful, but line 4 causes this error:

Error in 'eval' command: Typechecking failed. The '==' operator received different types

I'm using timechart to produce two rows for two blocks of time, how can I do a count on only row 2 and not row 1?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes