https://community.splunk.com/t5/Alerting/How-do-I-schedule-and-create-a-Search-Alert/m-p/608038#M14101 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207926">@anandhalagaras1</a>,</P><P>you have to create a simple search like the ones you shared</P><LI-CODE lang="markup">index=abc sourcetype=xyz host=mno "load is high" earliest=-80m@m latest=now</LI-CODE><P>and schedule it to execute every hour and trigger when there's no result.</P><P>Only one thing: I don't like to have a frequency different than time window because you could have two triggers or the same event, so I hint to use 60 minutes both for frequency and time window.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 03 Aug 2022 08:38:56 GMT gcusello 2022-08-03T08:38:56Z https://community.splunk.com/t5/Alerting/How-do-I-schedule-and-create-a-Search-Alert/m-p/608024#M14100 <P>Hi Team,</P> <P>I have a requirement for alert creating and scheduling the same in Splunk.</P> <P>So for this below mentioned query :</P> <P>"index=abc sourcetype=xyz host=mno "load is high"</P> <P>There would be only one event exactly present for every one hour i.e. (every 60 minutes) for this query so our requirement is that if there is no event for 1 hour and 10 minutes (i.e. 80 minutes) then it needs to trigger an email to the recipients.&nbsp;</P> <P>So how to achieve this in alert configuration and how should i need to schedule the cron as well &amp; also what should be the time range should i need to choose as well and what would be the trigger condition we need to set.</P> <P>&nbsp;</P> <P>So kindly help on the same.</P> <P>&nbsp;</P> Wed, 03 Aug 2022 15:17:41 GMT https://community.splunk.com/t5/Alerting/How-do-I-schedule-and-create-a-Search-Alert/m-p/608024#M14100 anandhalagaras1 2022-08-03T15:17:41Z https://community.splunk.com/t5/Alerting/How-do-I-schedule-and-create-a-Search-Alert/m-p/608038#M14101 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207926">@anandhalagaras1</a>,</P><P>you have to create a simple search like the ones you shared</P><LI-CODE lang="markup">index=abc sourcetype=xyz host=mno "load is high" earliest=-80m@m latest=now</LI-CODE><P>and schedule it to execute every hour and trigger when there's no result.</P><P>Only one thing: I don't like to have a frequency different than time window because you could have two triggers or the same event, so I hint to use 60 minutes both for frequency and time window.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 03 Aug 2022 08:38:56 GMT https://community.splunk.com/t5/Alerting/How-do-I-schedule-and-create-a-Search-Alert/m-p/608038#M14101 gcusello 2022-08-03T08:38:56Z https://community.splunk.com/t5/Alerting/How-do-I-schedule-and-create-a-Search-Alert/m-p/608039#M14102 <P>Thank you for your swift response.</P><P>So I have created the query as below:</P><P>index=abc sourcetype=xyz host=mno "load is high" earliest=-80m@m latest=now</P><PRE>&nbsp;</PRE><P>&nbsp;</P><P>And after which when i click to save as Alert.</P><P>I need to provide the Alert type as Scheduled and if i choose to run as cron schedule</P><P>Run On Cron Schedule</P><P>Time Range : Last 60 minutes</P><P>Cron Expression :&nbsp;0 * * * *</P><P>Trigger Conditions&nbsp;</P><P>Trigger Alert When : Number of Results</P><P>Is equal to 0</P><P>&nbsp;</P><P>So that if the keyword is not getting updated for 80 minutes it will through an alert? Correct me if i am wrong.</P><P>So will this be fine Kindly update please.</P> Wed, 03 Aug 2022 08:54:42 GMT https://community.splunk.com/t5/Alerting/How-do-I-schedule-and-create-a-Search-Alert/m-p/608039#M14102 anandhalagaras1 2022-08-03T08:54:42Z https://community.splunk.com/t5/Alerting/How-do-I-schedule-and-create-a-Search-Alert/m-p/608040#M14103 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>Thank you for your swift response.</P><P>So I have created the query as below:</P><P>index=abc sourcetype=xyz host=mno "load is high" earliest=-80m@m latest=now</P><P>And after which when i click to save as Alert.</P><P>I need to provide the Alert type as Scheduled and if i choose to run as cron schedule</P><P>Run On Cron Schedule</P><P>Time Range : Last 60 minutes</P><P>Cron Expression : 0 * * * *</P><P>Trigger Conditions</P><P>Trigger Alert When : Number of Results</P><P>Is equal to 0</P><P>&nbsp;</P><P>So that if the keyword is not getting updated for 80 minutes it will through an alert? Correct me if i am wrong.</P><P>So will this be fine Kindly update please.</P> Wed, 03 Aug 2022 08:55:43 GMT https://community.splunk.com/t5/Alerting/How-do-I-schedule-and-create-a-Search-Alert/m-p/608040#M14103 anandhalagaras1 2022-08-03T08:55:43Z https://community.splunk.com/t5/Alerting/How-do-I-schedule-and-create-a-Search-Alert/m-p/608044#M14104 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207926">@anandhalagaras1</a>,</P><P>the Trigger Condition: if there isn't any result in the search the alert triggers.</P><P>Think about what I said about time period!</P><P>Ciao.</P><P>Giuseppe</P> Wed, 03 Aug 2022 09:09:01 GMT https://community.splunk.com/t5/Alerting/How-do-I-schedule-and-create-a-Search-Alert/m-p/608044#M14104 gcusello 2022-08-03T09:09:01Z