Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how find continuously occured events

indeed_2000
Motivator
‎10-23-2021 05:57 AM

Hi

How can I find continuously occured events?

e.g

1- I have field that call "response time" 

if some times show "response time" is high not issue but if it continuously occured it's not normal. (couple of milisecond, seconds or minutes )

2-I have "error code" field

error code 404 is normal but if continuously occured, means something is wrong. (couple of milisecond, seconds or minutes )

 

FYI: this is huge log, consider that performance is a important factor.

Any idea?

Thanks,

Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-23-2021 09:03 AM

It seems that you're trying to do some service monitoring.

There is an app for it and it's called ITSI 😉

But to solve your problem we should define what you call "conitnuously".

I'd approach it by doing a timechart of 404 or long request ratio against all requests and check if the ratio exceeds some threshold. This might not be exactly what you specified, but I think it's a relatively good way to monitor errors.

Of course you could try to approach your specs literarily and check for a continuous stream of long or erroneous requests (for example with transaction) but it won't be either practical nor effective.

0 Karma
Reply

indeed_2000
Motivator
‎10-23-2021 09:07 AM

so what is the best way to do this?

as I mention this is huge log file(it's not realtime) , and i'm looking for logical way to do this.

 

Any other idea?

Thanks

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-23-2021 09:20 AM

As I said, I'd do something like

<your search> | timechart span=1m count(eval(code="404")) as errors count as allreqs | eval ratio=errors/allreqs

And see if in any of your periods the ratio exceeds, for example, 20%.

If the data set is huge, you might want to accelerate the report.

Or, even better, if you have the data aligned with the Web CIM model, you can accelerate the datamodel (if you don't have it accelerated already) and search from the datamodel, not from the original raw data.

0 Karma
Reply

indeed_2000
Motivator
‎10-23-2021 09:24 AM

as I mention (second, milisecond) are important. your span set to the minute. and definately if I change it to second it has huge impact. take long time to cmplete and could not loud on visualize chart.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-23-2021 12:44 PM

As I wrote before - accelerate your report, use accelerated datamodel.

But still, if you want a near-realtime response... well, you chose a wrong tool. If you have huge amounts of data to process, whatever search you make, you still have to scan all those events this way or another.

BTW, aggregating on second or millisecond level to seems pointless, but who am I to judge.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...