Hi,
I have an async producer/consumer each logging something like:
producer:
log.info("id=123, status=produced);
consumer:
log.info("id=123, status=consumed");
where id is the transaction ID.
I want to get alerted only when producer is producing and for some reason consumer stopped consuming.
I did write something like:
index="myindex" sourcetype="mysourcetype" | transaction id startswith=(status="produced") endswith=(status="consumed") keepevicted=true maxevents=10 | stats count by closed_txn
Then I ran both producer and consumer simultaneously and observed Splunk showing 0 and 1 for closed_txn.
My assumption is that I should see closed_txn as 1 as both consumer and producer are running.
Later I killed the consumer and let the producer keep running.
Still I get closed_txn showing up as 1 and 0 whereas I thought Splunk should only report 0 as the transaction failed as there is no log from consumer.
I am not sure if I am doing it right.
In summary I want to get alerted when there is production but no consumption.
I don't want to get alerted when there is no production.
↧