Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Setting an alert for consecutive "errors" sorted by another variable

Paxxxman
Explorer
‎07-19-2012 04:13 PM

Hi,

I'm trying to set up an alert that checks for three '0' values in a row from the same "lane". If a non-zero value is found in between no alert is made. The transaction coming through from the logs looks like:

NAME=2012_07_20_07_59_56_729_0_00004_00002.jpg,OCR=BJH27V,CONFIDENCE=563,STATE=NSW,LANE=4

Basically, whenever there's three CONFIDENCE=0 in a row in the same LANE, I need an alert to be sent. I tried following some steps from another question posted here which used streamstats, but I'm not sure how to use it and also differentiate by lane.

All help is appreciated! Thanks!

Tags (1)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎07-19-2012 05:10 PM

With realtime search, you could use:

... | dedup 3 LANE | stats count(CONFIDENCE==0) as count | where count==3

In a non-realtime periodic search, use:

... | streamstats current=t window=3 global=f
        count(CONFIDENCE==0) as count
      by LANE
    | where count==3

Then you can either just use a per-result alert for each LANE value (which you really should do for the realtime version), or get an alert whenever you get more than 0 results from this search.

Reply

Paxxxman
Explorer
‎07-22-2012 05:12 PM

I tried the non-realtime periodic search and I've yet find any results from it. I know there exists plenty of times where there's 3 CONFIDENCE=0 in a row. Not sure what else I can try.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...