I have encountered a situation where I need to set up an alert.
In a daily log file usually the order of steps is:
Time Event
10:00 AM Step 1
10:05 AM Step 2
10:13 AM Step 3
10:18 AM Step 4
I need to create an alert whenever there is a discrepancy in the order of execution of steps like below in the log.
Time Event
10:01 AM Step 1
10:02 AM Step 3
10:15 AM Step 2
10:17 AM Step 4
Can somebody help me with this on how I can achieve this through SPLUNK?
Do these events have unique value that ties the 4 together? If it does, try this,
... | eval s=case(step="Step 1", 1, step="Step 2", 2, step="Step 3", 3, step="Step 4", 4) | stats list(time) as time list(step) as steps list(s) as s by uniq_val | nomv s | where NOT (s="1 2 3 4") | table time steps
OR if it doesn't try this
... | eval s=case(step="Step 1", 1, step="Step 2", 2, step="Step 3", 3, step="Step 4", 4) | streamstats count reset_after="count=4" | streamstats count(eval(count=1)) as uniq_val | stats list(time) as time list(step) as steps list(s) as s by uniq_val | nomv s | where NOT (s="1 2 3 4") | table time steps