topic Re: Splunk alert to be triggered based on time of the day in Splunk Search

Splunk alert to be triggered based on time of the day

anweshar — Mon, 24 Jun 2019 09:52:49 GMT

My search condition is checking for results less than 10 every 45 minutes. The problem is we don't have that much traffic in the night to make it up to 10 searches. Is there an option to alert based on time of the day, for example trigger an alert if the number of searches is less than 10 between 09:00 to 18:00 and in the off hours trigger an alert if the number of searches is less than 3.

I can write a separate splunk alert to cover off hours but wanted to check if there is an option to do this in the one alert.

Re: Splunk alert to be triggered based on time of the day

adonio — Mon, 24 Jun 2019 12:20:09 GMT

you can write an eval statement for example and alert on its results, example:
... your search ... | eval bus_hours = if(date_hour>=9 AND date_hour<=18,"yes","no") ... | eval alert = if(your_count < 10 AND bus_hours = "yes","alert","not_alert) ...

and now count the new alert field or configure your alert however you want

hope it helps

Re: Splunk alert to be triggered based on time of the day

jkat54 — Mon, 24 Jun 2019 13:41:17 GMT

I've been told not to use date_wday with stats due to some typical fringe cases where it's inaccurate. It's a calculated field after all.

It would be better (again I'm told by the smarter folks) to eval the hour like this:

| eval hour=strftime(_time,"%H")

Then use the conditional logic on it.

Re: Splunk alert to be triggered based on time of the day

woodcock — Mon, 24 Jun 2019 19:56:54 GMT

The date_* fields can be used IF they are there (there are not in every sourcetype/event); just be aware that they are interpreted to be in the timezome of the local event, not normalized to GMT/Zulu.