Splunk query/condition to check and trigger Alert 2 hours before the Job Completion time?

Ashwini008 — Wed, 14 Sep 2022 16:37:28 GMT

Hi ,

My Job completes at 4AM,I need to set up a alert to monitor the job status 2 hours before the job completion time i.e. at 2 AM i should start checking the Job Status if it completed or not,So starting from 2AM i should monitor and trigger the alert till the job is completed.

I am using below query but it doesn't make sense and doesn't satisfies my above condition.

| makeresults | eval CurrentTime="05:00:00" | eval CurrentTimepoch=strptime(CurrentTime,"%H:%M:%S") | eval SLATIME="04:00:00" | eval SLATIMEepoch=strptime(SLATIME,"%H:%M:%S") | eval Diff=(SLATIMEepoch-CurrentTimepoch) | eval Duration=if(Diff<0, "-", "") + tostring(abs(Diff), "duration") | eval check1=case(Duration>="02:00:00" AND STATUS!=C,"Trigger",1=1,"Dont")

Please help me how to capture specific time i.e. 2 AM and start checking the job status in the query?

Re: Splunk query/condition to check and trigger Alert 2 hours before the Job Completion time

JacekF — Wed, 14 Sep 2022 09:37:26 GMT

You have provided a very little information on your environment, but If I understand your problem correctly, the following should allow you to determine if current time is later than the checking trigger time (2AM)

| makeresults
| eval triggerTime = relative_time(now(), "@d") + (2*3600)
| eval check = if(now() > triggerTime, "Trigger", "Don't")

The relative_time function is used to round epoch time down to the beginning of the day and then the number of seconds 2 hours have (2*3600) is added.

topic Splunk query/condition to check and trigger Alert 2 hours before the Job Completion time? in Knowledge Management

Splunk query/condition to check and trigger Alert 2 hours before the Job Completion time?

Re: Splunk query/condition to check and trigger Alert 2 hours before the Job Completion time