Hello,
I am trying to devise a search that will basically count the number of two different log statements, and then from that search alert if their difference is > 1.
e.g. the search that returns the list of events is "Sending msg" OR "Received msg". I want to basically count the number of times "Sending msg" is found as one count, "Received msg" count as another, and alert if count( "Sending msg" ) - count( "Received msg" ) > 0 over a 5 minute window.
However there aren't any fields that I can use to count, it's just a free-text log statement. I'm struggling with the splunk syntax to accomplish this.
Any advice/help is appreciated.
Thanks,
Ryan
... View more