- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- How to create an alert to include client names, er...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have created an alert where it checks the status of the client accessing the application. The status will be either ERROR or SUCCESS. If the status is SUCCESS, then it is fine, but if it is ERROR, it should count the number of ERROR for particular clients and will pop up an email as an alert with the list of clients and their respective ERROR counts.
This is the search:
index="abc" sourcetype="xyz" STATUS=ERROR CLIENT_ID=*|stats count by CLIENT_ID
For example lets say I have 2 clients: Amit@xyz.com and Jash@xyz.com
So the final output which I am receiving as an alert for every 1 hour are:
Client_ID Count of ERROR
Amit@xyz.com 2
Jash@xyz.com 1
So that means there are 2 errors for Amit@xyz.com and 1 error for Jash@xyz.com in the log files. So lets say the errors in the log files are:
2015-12-29 04:05:25 ERROR - [Client ID: Amit@xyz.com] - Client is not configured properly in the database
2015-12-29 04:06:32 ERROR - [Client ID: Amit@xyz.com] - Client is not having enough permission to access the application
2015-12-29 04:07:21 ERROR - [Client ID: Jash@xyz.com] - SOAP Fault occurred
My question is, isthere any way to email these above mentioned log file lines along with the ERROR counts for clients in the alert? So the final alert which I should receive should be something like this:
Client_ID Count of ERROR
Amit@xyz.com 2
Jash@xyz.com 1
2015-12-29 04:05:25 ERROR - [Client ID: Amit@xyz.com] - Client is not configured properly in the database
2015-12-29 04:06:32 ERROR - [Client ID: Amit@xyz.com] - Client is not having enough permission to access the application
2015-12-29 04:07:21 ERROR - [Client ID: Jash@xyz.com] - SOAP Fault occurred
Any help on this will be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're happy for them to be in line with with counts Just add the raw values into stats:
index="abc" sourcetype="xyz" STATUS=ERROR CLIENT_ID=*|stats count values(_raw) by CLIENT_ID
See the description for values(X) in http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/CommonStatsFunctions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're happy for them to be in line with with counts Just add the raw values into stats:
index="abc" sourcetype="xyz" STATUS=ERROR CLIENT_ID=*|stats count values(_raw) by CLIENT_ID
See the description for values(X) in http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/CommonStatsFunctions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jplumsdaine22 Thanks a lot for the help.. It is working for me now. I am able to pull up the entire Error logs in the alert. Is there a way to get the source and the host details in the alert mail from where the logs are getting generated. In the alert mail body I tried something like this
Source Log= '$source$'
Server = '$host$'
but it is not working.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
