https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-alert-when-status-field-is-true-for-more-than/m-p/696426#M236690 <P>Your data does not match your description - the Status field appears to be either "up" or "Down" not "true" - because of this, it is not clear whether you want an alert if there has been a period of at least 5 minutes of Status being "Down" or Status being "up" anywhere within the time period of the search - please clarify your requirement</P> Thu, 15 Aug 2024 23:06:43 GMT ITWhisperer 2024-08-15T23:06:43Z https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-alert-when-status-field-is-true-for-more-than/m-p/696420#M236689 <P>I have search query, if the Status is field is true for more than 5 min, I need to trigger an alert&nbsp; no matter the Event count result. if its within the timeframe then fire.<BR />Mabey even have it search for every 1minute.<BR /><BR /></P><P><BR />for example&nbsp; this should not fire an Alert because it recovered within the 5 min</P><P>1:00 Status = Down&nbsp; &nbsp;(event result count X5)<BR />1:03 Status = up<BR />1:07 Status = Down&nbsp; (event count X3)<BR />1:10 Status = up<BR />1:13 Status = up<BR />1:16 Status = up<BR /><BR /></P><P>for example&nbsp; this should&nbsp; fire an Alert&nbsp;</P><P>1:00 Status = Down&nbsp;&nbsp;(event result count X1)<BR />1:03 Status = Down&nbsp;(event result count X1)<BR />1:07 Status = Down&nbsp;(event result count X1)<BR />1:10 Status = up<BR />1:13 Status = up<BR />1:16 Status = up</P> Thu, 15 Aug 2024 21:48:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-alert-when-status-field-is-true-for-more-than/m-p/696420#M236689 Cheng2Ready 2024-08-15T21:48:25Z https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-alert-when-status-field-is-true-for-more-than/m-p/696426#M236690 <P>Your data does not match your description - the Status field appears to be either "up" or "Down" not "true" - because of this, it is not clear whether you want an alert if there has been a period of at least 5 minutes of Status being "Down" or Status being "up" anywhere within the time period of the search - please clarify your requirement</P> Thu, 15 Aug 2024 23:06:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-alert-when-status-field-is-true-for-more-than/m-p/696426#M236690 ITWhisperer 2024-08-15T23:06:43Z https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-alert-when-status-field-is-true-for-more-than/m-p/696427#M236691 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;<SPAN>want an alert if there has been a period for every1 minute of at least 5 minutes of Status being "Down" and if its interrupted with a status = Up then it resets the count and will not alert regarding the amount of event counts</SPAN></P> Thu, 15 Aug 2024 23:09:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-alert-when-status-field-is-true-for-more-than/m-p/696427#M236691 Cheng2Ready 2024-08-15T23:09:32Z https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-alert-when-status-field-is-true-for-more-than/m-p/696428#M236692 <P><SPAN><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;This is what I imagine it should look like&nbsp;<BR />but im not sure if there is a way to add in a condition for Streamstats&nbsp;<BR />for this command?&nbsp; or a workaround?<BR />"reset_on_change= if (status="UP", 1, 0)&nbsp; "<BR /><BR />| bucket span=1m _time<BR />| eval status_change=if(status="DOWN",1,0)<BR />| streamstats sum(status_change) as down_count&nbsp; reset_on_change= if (status="UP", 1, 0)<BR />| eval is_alert=if(down_count &gt;=5 AND status="DOWN",1,0)<BR />| where is_alert=1</SPAN></P> Thu, 15 Aug 2024 23:23:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-alert-when-status-field-is-true-for-more-than/m-p/696428#M236692 Cheng2Ready 2024-08-15T23:23:28Z