I have a lookup csv file which contains for each error code:
interval
threshold
some additional informational fields
I would like to have a real-time search with a rolling window of the past day e.g.
Start time = rt-24h
Finish time = rt
That search will display as a list:
error that has exceeded its limits (interval and threshold)
time that this has happened
some of the additional informational fields
descending order based on the time this has happened
That list should not display distinct errors.
Every time an error exceeds its limits, it must be included in the result.
I have configured properly the lookup source and I am able to use it in searches.
I have trouble in creating the syntax of the search that it will produce the above result as I am new in using Splunk.
Any help would be highly appreciated.
Regards
... View more