I need to create an alert which will prompt whenever "reason": "LOCKED" appears more than 15% in previous 1 hour. checks to be made every 10m. this should happen only for "operation":"ENROLL" and "operation":"BIND"
i have this query which gives me the locked transactions but if I combine it with operation:BIND or ENROLL then I dont get any results even though the application is throwing logs for these.
index=abc cf_app_name="stack-overflow" "reason": "LOCKED" AND "operation":"ENROLL"
below is the sample log
{
"id": "c90f975cb368",
"source": {
"domain": "ABC",
"version": "1.0.0",
"environment": "stage"
},
"namespace": "a.b.c",
"resource": "CARD",
"operation": "ENROLL",
"state": "FAILED",
"tags": ["kpi"],
"createTime": 156898900,
"context": {
"correlationId": "0-6093d36"
},
"data": {
"dpaData": {
"dpaId": "1d457051052e71730e71cc5a",
"srctId": "526e1bcf-ca6ce85ee9cb",
"durbinRights": false
},
"dcfData": {},
"srciData": {
"srcId": "526e1ca6ce85ee9cb",
"name": "mcd
},
"appInstanceData": {
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36",
"abcdefghijklmnopqrstuvwxyz\"}",
"remoteIpAddress": "[login to view URL]",
"httpXForwardedFor": "[login to view URL]"
},
"authenticationData": {
"expiration": false,
"authenticationResult": {
"reason": "LOCKED"
},
"emailVerified": false,
"phoneVerified": false
},
"consumerData": {},
"error": {
"reason": "LOCKED",
"message": "Access is denied to the requested resource. The user account has been locked., card locked time: [166898828]",
"http-response-code": "400"
}
}
}
I just need the query which will give the events where "reason": "LOCKED" under the field error appears along with "operation": "ENROLL"
I am a splunk Developer and an admin with 3 years of professional expertise.
I am well versed with creation of complex logics using splunk processing language.