GERH
Reputation: 111
Splunk Alert on missing log with GUID
I am trying to create a Splunk alert that will be triggered if two events do not occur in a certain time window. The two events will be linked by a GUID and there may be multiple events occurring with different GUIDs simultaneously.
Can someone indicate where to start?
Upvotes: 0
Views: 260
Answers (1)
RichG
Reputation: 9926
There probably are a few ways to do this. The worst one is by using the transaction command because it's very slow.
Try using stats to find the time span of the events and alert on those that are too slow (5 minutes in this example).
... | stats range(_time) as duration by GUID | where duration > 300
Upvotes: 1
Related Questions
- Splunk: search for “a first log that got printed, but the second was not printed”
- What search terms should I use when creating alert that is triggered when there are no logs coming from service in Splunk?
- splunk query based on log stdout
- Splunk Alert Creation
- Splunk Query - Search unique exception from logs with counts
- Splunk: Matching an error log and obtaining the count of it
- Splunk: search a string, if found only then look for another log with same request-id
- Splunk alert based on the search result value
- Checking Splunk logs for one string but not others
- Notify upon any serious errors on logs