Splunk alert configuration based on dynamic log er...

saro0710 · ‎10-24-2011

Hi,

We are using splunk for log managment and as well as alert configuration based on Exceptions/Errors threshold which works very well for static log contents.

But if a new exception or error is introduced due to a new release or patch, there is no way to find out the new pattern of errors/exceptions with splunk alerting system.

Is there any way that we can configure dynamic alerts based on dynamic nature of log pattern changes in terms of exceptions and erros with the help of REST API framework ?

Please let me know the detail

Thanks,
Saravanan

Ayn · ‎10-24-2011

This sounds like something you could do with the anomalies operator. It applies to a sliding window of events for which it monitors a field you define, and then assign an "unexpectedness" score to each value of that field.

So if you have a windows containing 10000 events and 9000 of them have the value "foo", 999 have the value "obnoxious ozelot" and the 10000th event arrives with the value "preposterous panda", Splunk will assign a very high unexpectedness score to that since it's never been seen before in the sliding window of events. You could then use the unexpectedness in your alert conditions to trigger alerts on events that don't match any of the expected values.

More information on the anomalies command is available here: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Anomalies

Splunk alert configuration based on dynamic log error/exception patterns

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases