Solved: How to search and alert on events that occurred tw...

randywebb · ‎01-29-2016

Hello,

I'm trying to set up an alert for when some event type stops happening.

Given multiple event types, each of which should happen several hundreds or thousands of times an hour, I need to set up an alert for when an hour goes by where any of them don't happen, and report on how many of the missing events were expected.

New event types will be added all the time without my knowledge, so it's not possible for me to provide a pre-populated lookup or anything.

So something like:

For each event type that occurred between -2h@h and -1h@h
Return each of those that did not also occur between -1h@h and 00h@h
And the count of those per hour over the last 6 hours

Thanks for any help
Randy

somesoni2 · ‎01-29-2016

Assuming your logs have a field called event_type, then you can try something like this

your base search event_type=* earliest=-2h@h latest=@h | bucket span=1h _time | stats values(_time) as ReportedHours by event_type | where mvcount(ReportedHours)=1 AND reportedHours=relative_time(now(),"-2h@h")

View solution in original post

somesoni2 · ‎01-29-2016

Assuming your logs have a field called event_type, then you can try something like this

your base search event_type=* earliest=-2h@h latest=@h | bucket span=1h _time | stats values(_time) as ReportedHours by event_type | where mvcount(ReportedHours)=1 AND reportedHours=relative_time(now(),"-2h@h")

randywebb · ‎01-29-2016

This gets me all the missing events, I think I can figure out the rest. Thanks!

PS the last part of the suggested AND section needs a capital R on ReportedHours in order to work, for anyone reading this later.

How to search and alert on events that occurred two hours ago, but not in the last hour?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life