Hi Amigo,
I need to setup a Splunk alert when the status is not changed from "status = pending_app_gw." to "status = ACTIVE. with in 5-10 sec" max. if not changed to active it should alert.
08.02.2017 07:25:26.280 | 344 | INFO | 10098094 | GW: session(90200371) status = INITIALIZING.
08.02.2017 07:25:26.280 | 344 | INFO | 10098094 | GW: session(90200371) status = pending_app_gw.
*****after restart of the application *******
08.02.2017 08:20:36.618 | 1752 | INFO | 10098094 | GW: session(90200371) status = INITIALIZING.
08.02.2017 08:20:36.618 | 1752 | INFO | 10098094 | GW: session(90200371) status = pending_app_gw.
08.02.2017 08:20:36.706 | 5344 | INFO | 10098094 | GW: session(90200371) status = ACTIVE.
I tried with the below query. but it is not working as expected.
pending_app_gw sourcetype=sesionlog |rex "^[^(\n]*((?P\d+)"|join ses_id [ search sourcetype=oslog earliest=-10s latest=now "status = ACTIVE."]|table host ses_id
Appreciate your help to setup the alert working properly.
Thanks in Advance.
Regards
Babujlinuz
... View more