How to alert if a certain transaction endswith val...

msehic · ‎08-09-2016

Need to alert if: transaction between: “is now DOWN" OR "is now UP" is larger than 60 sec. And if the last transaction "is now DOWN" happens, but “is now UP” does not in 60 sec.
So far I built the first part: “is now DOWN" OR "is now UP" is larger than 60 sec.

Source= ("is now UP" OR "is now DOWN") | transaction startswith="is now DOWN" Endswith="is now UP" | where duration > 60 |

However, not sure what to add if the last transaction "is now DOWN" happens, but “is now UP” does not happen within 60 sec.

somesoni2 · ‎08-09-2016

Try this

 Source=* ("is now UP" OR "is now DOWN") | transaction keepevicted=t startswith="is now DOWN" Endswith="is now UP" | where duration > 60 OR closed_txn=0

sundareshr · ‎08-09-2016

Try this

Source= ("is now UP" OR "is now DOWN")  | rex (?<status>UP|DOWN)" | timechart span=61s earliest(status) as start latest(status) as end | where start="DOWN" AND end="DOWN"

How to alert if a certain transaction endswith value does not happen within a duration 60 seconds?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!