topic Re: Time periods for query and alert in Splunk Search

Time periods for query and alert

alekseisaiko — Wed, 24 Jun 2020 18:35:15 GMT

Hi there!
I'm running this query index="staging" |eval raw_len=len(_raw) | eval raw_len_gb = raw_len/1024/1024/1024 | stats sum(raw_len_gb) as GB by kubernetes_namespace | where GB > 0.5
When I'm running this query in "Search", I choose "For the last 24 hours".
I want to save this query as alert, and the alert will run let's say once a hour.
The question is - will it run this query like I run it in search (last 24 hours)? Or I need to specify it inside a query (last 24 hours)?

Thanks,

Aleksei

Re: Time periods for query and alert

manjunathmeti — Wed, 04 Mar 2020 21:48:12 GMT

Once you run the search for last 24 hours and save it as an alert. Then alert runs search for for last 24 hours. You don't need to specify earliest and latest in search query.

You can also check Time Range in Edit Alert page.

Alert configuration in savedsearches.conf are stored as below:

[alert_name]
search = <search_query>
dispatch.earliest_time = -24h@h
dispatch.latest_time = now

Re: Time periods for query and alert

alekseisaiko — Thu, 05 Mar 2020 09:52:50 GMT

Thanks,

And what i I will add earliest=-24h to the query as well? It will always run the query and give results for the last 24 hours?

Re: Time periods for query and alert

manjunathmeti — Thu, 05 Mar 2020 10:00:33 GMT

Yes. Query will run for last 24 hours irrespective of Time Range set.

Re: Time periods for query and alert

alekseisaiko — Thu, 05 Mar 2020 10:06:12 GMT

Got it, thanks a lot for your answer!

Re: Time periods for query and alert

manjunathmeti — Fri, 06 Mar 2020 08:16:04 GMT

you're welcome.