Re: How can I search for two different error messa...

svemurilv · ‎11-08-2017

I have 2 sourcetypes. For each sourcetype having different error messages, how can I search those 2 different error messages to see if they happened in a bucket of 1 minute timespan?

sourcetyep=first OR sourcetyep=second_one ErrorMessage="timeout" OR ErrorMessage="brokenPipe" |bucket _time span=1m

DalJeanis · ‎11-08-2017

Here's one way

( sourcetype=first OR sourcetype=second_one) (ErrorMessage="timeout" OR ErrorMessage="brokenPipe") 
| sort 0 _time
| streamstats time_winidow=60s values(ErrorMessage) as ErrorMessage 
| where mvcount(ErrorMessage) >1

svemurilv · ‎11-09-2017

i have change a logic that both the conditions was happened in a bucket of time 1 min , still its not working,

(sourcetype=nginx:apierror ErrorMessage="connect() failed (111: Connection refused) while connecting to upstream") AND (sourcetype=nginx:nginxerror ErrorMessage="open()*No such file or directory)") | streamstats time_window=60s values(ErrorMessage) as ErrorMessage| where mvcount(ErrorMessage) >1

LCM_BRogerson · ‎11-09-2017

Replace the AND with an OR in your search
(sourcetype=nginx:apierror ErrorMessage="connect() failed (111: Connection refused) while connecting to upstream") OR (sourcetype=nginx:nginxerror ErrorMessage="open()*No such file or directory)")

Your search will return events with (values A B) AND (values C D). Instead I think you want events with (values A B) OR (values C D)

How can I search for two different error messages to see if they both happened in a one-minute timespan?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?