https://community.splunk.com/t5/Alerting/How-do-you-trigger-an-alert-based-on-a-parameter-from-a/m-p/349338#M6153 <P>Hi Ponczi1,<BR /> at first if you haven't any event you canot use _time in mytime, so, try something like this:</P> <PRE><CODE>index=auth "File has been processed" | append [ search index=_internal | head 1 | eval mytime=strftime(now(), "%Y-%m-%d")] | stats values(mytime) AS mytime count | where count=1 | append [ search index=auth Add.N.Days | rex "&lt;retdate&gt;(?&lt;INDATE&gt;.*)&lt;/retdate&gt;" ] | where mytime=INDATE | table mytime </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Tue, 19 Dec 2017 15:01:36 GMT gcusello 2017-12-19T15:01:36Z https://community.splunk.com/t5/Alerting/How-do-you-trigger-an-alert-based-on-a-parameter-from-a/m-p/349337#M6152 <P>Hello, I am new to Splunk and i have a little problem with making an alert</P> <P>So i want to trigger an alert when I don't find any rows before 10:00AM that day</P> <P>The search looks like this </P> <PRE><CODE>index = auth "File has been processed" | eval mytime=strftime(_time, "%Y-%m-%d") </CODE></PRE> <P>And it woud be simple if it could trigger every day. Unfortunately i need to check if the day the alert should trigger is in another log (trigger if the date is same)</P> <P>To get that date i use that query (INDATE is yyyy-mm-dd)</P> <PRE><CODE>index=auth Add.N.Days |rex "&lt;retdate&gt;(?&lt;INDATE&gt;.*)&lt;/retdate&gt;" </CODE></PRE> <P>So basically i need to check if first search finds anything until 10:00 AM and if not, then trigger an alert but only if the INDATE is the same as the "mytime" from first query. Any suggestions?</P> Tue, 19 Dec 2017 13:45:43 GMT https://community.splunk.com/t5/Alerting/How-do-you-trigger-an-alert-based-on-a-parameter-from-a/m-p/349337#M6152 Ponczi1 2017-12-19T13:45:43Z https://community.splunk.com/t5/Alerting/How-do-you-trigger-an-alert-based-on-a-parameter-from-a/m-p/349338#M6153 <P>Hi Ponczi1,<BR /> at first if you haven't any event you canot use _time in mytime, so, try something like this:</P> <PRE><CODE>index=auth "File has been processed" | append [ search index=_internal | head 1 | eval mytime=strftime(now(), "%Y-%m-%d")] | stats values(mytime) AS mytime count | where count=1 | append [ search index=auth Add.N.Days | rex "&lt;retdate&gt;(?&lt;INDATE&gt;.*)&lt;/retdate&gt;" ] | where mytime=INDATE | table mytime </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Tue, 19 Dec 2017 15:01:36 GMT https://community.splunk.com/t5/Alerting/How-do-you-trigger-an-alert-based-on-a-parameter-from-a/m-p/349338#M6153 gcusello 2017-12-19T15:01:36Z https://community.splunk.com/t5/Alerting/How-do-you-trigger-an-alert-based-on-a-parameter-from-a/m-p/349339#M6154 <P>Use this as an alert search. The subsearch will return INDATE as current date when index=auth query doesn't return any results (you need to add proper time range to the subsearch). It'll return <CODE>DummyWillNotMatch</CODE> if the index=auth has data, so it'll not match with <CODE>Add.N.Days</CODE>. You alert condition should be <CODE>number of events greater than 0</CODE>.</P> <PRE><CODE>index=auth Add.N.Days | rex "&lt;retdate&gt;(?&lt;INDATE&gt;.*)&lt;/retdate&gt;" | search [search index = auth "File has been processed" | eval INDATE="DummyWillNotMatch" | appendpipe [| stats count | where count=0 | eval INDATE=strftime(now(), "%Y-%m-%d") | stats values(INDATE) as INDATE ] </CODE></PRE> Tue, 19 Dec 2017 15:49:04 GMT https://community.splunk.com/t5/Alerting/How-do-you-trigger-an-alert-based-on-a-parameter-from-a/m-p/349339#M6154 somesoni2 2017-12-19T15:49:04Z https://community.splunk.com/t5/Alerting/How-do-you-trigger-an-alert-based-on-a-parameter-from-a/m-p/349340#M6155 <P>Love it! Thank you</P> Wed, 20 Dec 2017 07:11:05 GMT https://community.splunk.com/t5/Alerting/How-do-you-trigger-an-alert-based-on-a-parameter-from-a/m-p/349340#M6155 Ponczi1 2017-12-20T07:11:05Z