I am looking for a way to display the events which appeared before a particular error is written into the log files (for that particular error there is a configured alert).
That's the alert:
index=**** message="Interface Broker Configuration Service error: No result retrieved from config service"
First I tried with localize but was not able to get a result, only this one:
And I don't know exactly how to filter the events which are written in the same log 5s or 10 s earlier before the error message occurs.
Another option was the combination of eval + map based on other questions posted on Splunk community but Splunk was not able to return a value:
| eval starttime=time-180 | eval endtime=time+1 | map search="search index=* earliest=$starttime$ latest=$endtime$"
Do you have any suggestions?
... View more
I am trying to monitor the output of localhost thru REST API Modular Input of Splunk.
Purpose is to have the health check results shown in JSON format. Screenshot from Postman:
"message": "Inactive RMI HTTP service(s) : [/BatchExecutionService], [/BusinessExecutionService], [/ChannelDataLookupService], [/RobotExecutionService], [/WebBusinessExecutionService], [/WebExternalExecutionService]. (503)"
Once the results are shown on SPlunk, I will configure an alert in case healthy state is different that READY. There are more than 20 hosts consolidated into a single index and they are communicating with central server via SplunkUniversalForwarders.
Currently I am testing the scenario locally on my own laptop with local instnace of Splunk and application is running also on my box.
Do you have any ideas if this scenario is possible for impementation?
... View more