How to set alert for multiple error scenario for multiple API logs in Splunk

Question

I'm naïve to splunk and I have to done this task on priority basis,I want to set alert for multiple api deployed on PCF, E.g.

API-NAME : Error1,Error2,3..

API-NAME2 : Error1,Error2,3.

API-NAME3 : Error1,Error2,3.

The error are same for every api.

How to write a splunk query to raise alert for above condition.

I thought I will simply used or condition to create queries

like Error1 or Error 2

but this will create a global alert and I don't want this.

I can't use API name in query, since api name is logged in many condition (info,debug etc) this will unnecessary create alert in many case,

*API are simply URL which are calling a backend server.

score 0 · Answer 1 · answered Dec 28 '17 at 14:28

It would look something like this

... | eval API-NAME=if(API-NAME AND (Error1 OR Error2),"Alert","No Issue") | search API-NAME="Alert" | table API-NAME

You could also use a case statement if you have many conditions

You should then create a custom alert

1 Answers1