https://community.splunk.com/t5/Alerting/Setting-duration-in-search-and-save-as-an-alert/m-p/535399#M10101 <P>We are trying to set an alert for a sub_A to trigger if no data is sent&nbsp; in 1 hour duration.&nbsp; The previous splunk expert wrote the search below, and i was under the impression to change the "+24h@h" to "1h@h" and "86400",&nbsp; to 3600 would change the parameter of the alert.</P><P>| where now()&gt;relative_time(LastFileXfer, "+24h@h")<BR />| eval DaysOld=round((now() - round(LastFileXfer, 0))/86400, 2)</P><P>&nbsp;</P><P>Does this need to be changed when saving the alert in menu section of the alert?</P><P>-----Thank you-----</P><P>&nbsp;</P><P>------Search------</P><P>index=dart_index source=OPS_NIPR_DART_DMZ_IncomingOutgoing status_message="OK" earliest=-48h@h subscription_name IN ("Sub_A")<BR />| eval DeliveryComplete=strptime(delivery_complete, "%Y-%m-%d %H:%M:%S")<BR />| stats values(src_host) as Source, values(dest_host) as Destination, values(login_name) as DataOwner, values(host_name) as DartNode, values(xfer_type) as XferMethod, min(DeliveryComplete) as EarliestFileXfer, max(DeliveryComplete) as LastFileXfer by subscription_name<BR />| where now()&gt;relative_time(LastFileXfer, "+24h@h")<BR />| eval DaysOld=round((now() - round(LastFileXfer, 0))/86400, 2)<BR />| eval EarliestFileXfer=strftime(EarliestFileXfer, "%Y-%m-%d %H:%M:%S")<BR />| eval LastFileXfer=strftime(LastFileXfer, "%Y-%m-%d %H:%M:%S")<BR />| table subscription_name Source Destination DataOwner DartNode XferMethod EarliestFileXfer LastFileXfer DaysOld</P> Mon, 11 Jan 2021 20:37:00 GMT pdreef 2021-01-11T20:37:00Z https://community.splunk.com/t5/Alerting/Setting-duration-in-search-and-save-as-an-alert/m-p/535399#M10101 <P>We are trying to set an alert for a sub_A to trigger if no data is sent&nbsp; in 1 hour duration.&nbsp; The previous splunk expert wrote the search below, and i was under the impression to change the "+24h@h" to "1h@h" and "86400",&nbsp; to 3600 would change the parameter of the alert.</P><P>| where now()&gt;relative_time(LastFileXfer, "+24h@h")<BR />| eval DaysOld=round((now() - round(LastFileXfer, 0))/86400, 2)</P><P>&nbsp;</P><P>Does this need to be changed when saving the alert in menu section of the alert?</P><P>-----Thank you-----</P><P>&nbsp;</P><P>------Search------</P><P>index=dart_index source=OPS_NIPR_DART_DMZ_IncomingOutgoing status_message="OK" earliest=-48h@h subscription_name IN ("Sub_A")<BR />| eval DeliveryComplete=strptime(delivery_complete, "%Y-%m-%d %H:%M:%S")<BR />| stats values(src_host) as Source, values(dest_host) as Destination, values(login_name) as DataOwner, values(host_name) as DartNode, values(xfer_type) as XferMethod, min(DeliveryComplete) as EarliestFileXfer, max(DeliveryComplete) as LastFileXfer by subscription_name<BR />| where now()&gt;relative_time(LastFileXfer, "+24h@h")<BR />| eval DaysOld=round((now() - round(LastFileXfer, 0))/86400, 2)<BR />| eval EarliestFileXfer=strftime(EarliestFileXfer, "%Y-%m-%d %H:%M:%S")<BR />| eval LastFileXfer=strftime(LastFileXfer, "%Y-%m-%d %H:%M:%S")<BR />| table subscription_name Source Destination DataOwner DartNode XferMethod EarliestFileXfer LastFileXfer DaysOld</P> Mon, 11 Jan 2021 20:37:00 GMT https://community.splunk.com/t5/Alerting/Setting-duration-in-search-and-save-as-an-alert/m-p/535399#M10101 pdreef 2021-01-11T20:37:00Z https://community.splunk.com/t5/Alerting/Setting-duration-in-search-and-save-as-an-alert/m-p/535408#M10104 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229967">@pdreef</a>&nbsp;, looking at query and requirement, this should work by replacing <A href="mailto:24h@h" target="_blank">24h@h</A>&nbsp;by 1h&nbsp; in below line considering you want to check that there should be data every 1 hour duration irrespective of the mm value in hh:mm.</P><P><SPAN>| where now()&gt;relative_time(LastFileXfer, "+1h")</SPAN></P><P>&nbsp;</P><P><SPAN>Hope this helps!</SPAN></P> Mon, 11 Jan 2021 23:32:52 GMT https://community.splunk.com/t5/Alerting/Setting-duration-in-search-and-save-as-an-alert/m-p/535408#M10104 Nisha18789 2021-01-11T23:32:52Z https://community.splunk.com/t5/Alerting/Setting-duration-in-search-and-save-as-an-alert/m-p/535555#M10107 <P>Yes, that worked. Thank you. I tired had and extra "h" and this is why it wasn't working.</P> Tue, 12 Jan 2021 20:22:37 GMT https://community.splunk.com/t5/Alerting/Setting-duration-in-search-and-save-as-an-alert/m-p/535555#M10107 pdreef 2021-01-12T20:22:37Z https://community.splunk.com/t5/Alerting/Setting-duration-in-search-and-save-as-an-alert/m-p/535648#M10110 <P>Great&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229967">@pdreef</a>&nbsp;, could youplease mark my response as solution.</P> Wed, 13 Jan 2021 13:09:26 GMT https://community.splunk.com/t5/Alerting/Setting-duration-in-search-and-save-as-an-alert/m-p/535648#M10110 Nisha18789 2021-01-13T13:09:26Z https://community.splunk.com/t5/Alerting/Setting-duration-in-search-and-save-as-an-alert/m-p/535691#M10111 <P>Of course, thanks again for your help.&nbsp;</P> Wed, 13 Jan 2021 17:29:06 GMT https://community.splunk.com/t5/Alerting/Setting-duration-in-search-and-save-as-an-alert/m-p/535691#M10111 pdreef 2021-01-13T17:29:06Z