https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311909#M93448 <P>sourcetype=xyz ciscoLwappApIfDownNotify OR ciscoLwappApIfUpNotify OR bsnDot11StationAssociate | rex "CISCO-LWAPP-AP-MIB::cLApName.0</P> <PRE><CODE>= STRING: (?&lt;apname&gt;\S+)" | rex "AIRESPACE-WIRELESS-MIB::bsnAPName.0 = STRING: \"(?&lt;apname&gt;\S+)?\"" | rex "CISCO-LWAPP-AP-MIB ::cLApDot11IfSlotId.0 = Gauge32: (?&lt;radioslot&gt;\S+)" | rex "AIRESPACE-WIRELESS-MIB::bsnStationAPIfSlotId.0 = INTEGER: (?&lt;radioslot &gt;\S+)"| stats earliest(_time) as _time latest(_time) as time latest(snmpTrapOID_0) as action values(radioslot) as radioslot values(cLApIfUpDownCause_0) as Cause values(cLApIfUpDownFailureCode_0) as failurecode values(cLApIfUpDownFailureType_0) as failuretype values(cLApSysMacAddress_0) as apmac values(cLApAdminStatus_0) as adminstatus by apname | eval age=now()-time | where age&gt;300 AND action="OID: CISCO-LWAPP-AP-MIB::ciscoLwappApIfDownNotify" </CODE></PRE> <P>I run this every 30 min for past 5 hrs, currently 2 results are shown but I don't receive as an alert</P> Sun, 26 Nov 2017 15:07:01 GMT syjayaraj 2017-11-26T15:07:01Z https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311905#M93444 <P>I have used transaction and non transaction method.<BR /> Non transaction method yields result but the results are not being sent as an alert.<BR /> Could some one help how to achieve without using stats earliest latest commands, probably using if condition.<BR /> Example:</P> <P>Event1: hostname slot 1 down<BR /> Event2: hostname slot 1 up</P> <P>If event 2 doesn't arive in 10 min , I need to get an alert ,<BR /> Give examples if event 2 also be in different source type</P> Sun, 26 Nov 2017 10:03:56 GMT https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311905#M93444 syjayaraj 2017-11-26T10:03:56Z https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311906#M93445 <P>Why is there the arbitrary constraint on not being able to use the stats earliest or latest commands? (It's not necessarily an issue in finding a solution, but I think many people who read this would like to know - have you had issues out of those before? Do you have a earliest/latest solution but someone's double-dared you to do it without?)</P> Sun, 26 Nov 2017 12:48:53 GMT https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311906#M93445 Richfez 2017-11-26T12:48:53Z https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311907#M93446 <P>“hostname slot 1 down” OR “hostname slot 1 up” _index_earliest=-15m@m _index_latest=-5m@m</P> <P>Trigger condition is if number of results are less than 2, corn schedule is </P> <PRE><CODE> 0,10,20,30,40,50 * * * * </CODE></PRE> <P>Assumes you only get one “down” event and don’t have any fields extracted.</P> Tue, 29 Sep 2020 16:56:59 GMT https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311907#M93446 jkat54 2020-09-29T16:56:59Z https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311908#M93447 <P>Dear Rich, <BR /> I have spent considerable amount of time to get an alert, till now no luck,<BR /> When run manually it shows the results but not as alert email(email never comes)</P> <P>Transaction never works at all</P> <P>Something splunk doesn't like,<BR /> I'll post exact search string</P> Sun, 26 Nov 2017 14:37:56 GMT https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311908#M93447 syjayaraj 2017-11-26T14:37:56Z https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311909#M93448 <P>sourcetype=xyz ciscoLwappApIfDownNotify OR ciscoLwappApIfUpNotify OR bsnDot11StationAssociate | rex "CISCO-LWAPP-AP-MIB::cLApName.0</P> <PRE><CODE>= STRING: (?&lt;apname&gt;\S+)" | rex "AIRESPACE-WIRELESS-MIB::bsnAPName.0 = STRING: \"(?&lt;apname&gt;\S+)?\"" | rex "CISCO-LWAPP-AP-MIB ::cLApDot11IfSlotId.0 = Gauge32: (?&lt;radioslot&gt;\S+)" | rex "AIRESPACE-WIRELESS-MIB::bsnStationAPIfSlotId.0 = INTEGER: (?&lt;radioslot &gt;\S+)"| stats earliest(_time) as _time latest(_time) as time latest(snmpTrapOID_0) as action values(radioslot) as radioslot values(cLApIfUpDownCause_0) as Cause values(cLApIfUpDownFailureCode_0) as failurecode values(cLApIfUpDownFailureType_0) as failuretype values(cLApSysMacAddress_0) as apmac values(cLApAdminStatus_0) as adminstatus by apname | eval age=now()-time | where age&gt;300 AND action="OID: CISCO-LWAPP-AP-MIB::ciscoLwappApIfDownNotify" </CODE></PRE> <P>I run this every 30 min for past 5 hrs, currently 2 results are shown but I don't receive as an alert</P> Sun, 26 Nov 2017 15:07:01 GMT https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311909#M93448 syjayaraj 2017-11-26T15:07:01Z https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311910#M93449 <P>Index earliest I tried I believe;<BR /> Still I have to use stats earliest and latest right?</P> Sun, 26 Nov 2017 15:09:02 GMT https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311910#M93449 syjayaraj 2017-11-26T15:09:02Z https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311911#M93450 <P>Not really. At least in most cases I can think of the only time you might really need stats latest or earliest would be to do “more work” on the results afterwards. The use case you presented seems like it has simpler solutions, like the one that jkat54 provided. </P> <P>I would use a cron of <CODE>*/10 * * * *</CODE></P> Sun, 26 Nov 2017 15:38:28 GMT https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311911#M93450 Richfez 2017-11-26T15:38:28Z https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311912#M93451 <P>No, this search is going to run every 10 minutes and account for indexing latency of up to 5 minutes. If there are less than two events found, then it will trigger the alert.</P> Mon, 27 Nov 2017 00:19:40 GMT https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311912#M93451 jkat54 2017-11-27T00:19:40Z https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311913#M93452 <P>Not working in my case</P> Mon, 27 Nov 2017 17:21:25 GMT https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311913#M93452 syjayaraj 2017-11-27T17:21:25Z https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311914#M93453 <P>If you run the search it's based on as a regular search, does that return results? Would any of those returned results indicate the alert <EM>should</EM> have fired? </P> Mon, 27 Nov 2017 17:23:49 GMT https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311914#M93453 Richfez 2017-11-27T17:23:49Z https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311915#M93454 <P>Run this every minute for the last 11 minutes:</P> <PRE><CODE>... | stats count count(eval(status="up")) AS ups max(_time) AS _time BY host slot | where ups=0 and count&gt;1 AND (now() - _time) &gt; (10 * 60)) </CODE></PRE> Mon, 04 Dec 2017 03:00:00 GMT https://community.splunk.com/t5/Splunk-Search/Send-Alert-if-one-event-doesn-t-occur-in-10-min/m-p/311915#M93454 woodcock 2017-12-04T03:00:00Z