-2

I am looking to trigger an alert in splunk if a new error is there in server logs. New error is an error/s that was not present in server logs in the past one week. I have index for logs index=Serverlogs1.

Please help!

user14191992
  • 1
  • 1
  • 1
    Could you be more specific, please? What kind of anomaly are you looking for? In what kind of data? – RichG Aug 30 '20 at 21:13
  • I am looking to trigger an alert in splunk if a new error is there in server logs. New error is an error/s that was not present in server logs in the past one week. I have index for logs index=Serverlogs1. Please help! – user14191992 Aug 31 '20 at 06:18
  • What have you already tried? What does the data look like? How do you determine "new"? Is it *anywhere* in the last week? Only on *one endpoint*? Something else? – warren Aug 31 '20 at 14:57
  • My goal is to scan splunk logs for all errors in stack trace for past one week (excluding today) and find any anomaly/ new errors in past 24 hours. Most of the times "message" field have stack trace. But, for same error in "message" field profileid /jsession fields should be ignored. On using below query, then for same error, if jsessionid and profile are different it shows that also as an anomaly (which is not what I expected) "index=serverlogs1 log_level=error | anomalydetection action=filter message " – user14191992 Sep 01 '20 at 08:31

1 Answers1

0

Finding something that has not been seen in some time requires searching all of the data over that period so be prepared for slow performance. It will help if you can be specific about the criteria for a "new" event. Start with this search. Replace _raw with specific fields, if possible.

index=serverlogs1 earliest=-1w
| stats count by _raw
| where count = 1
RichG
  • 4,202
  • 1
  • 12
  • 23
  • My goal is to scan splunk logs for all errors in stack trace for past one week (excluding today) and find any anomaly/ new errors in past 24 hours. Most of the times "message" field have stack trace. But, for same error in "message" field profileid /jsession fields should be ignored. On using below query, then for same error, if jsessionid and profile are different it shows that also as an anomaly (which is not what I expected) "index=serverlogs1 log_level=error | anomalydetection action=filter message " – user14191992 Sep 01 '20 at 08:31