Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Alert - Time interval

monteirolopes
Communicator
‎09-30-2016 05:48 AM

Hi,

I am using the function:

| stats count(name) AS x by name | where x >4

Results:

name count(name)
Paul 10
John 3

I would like to receive alerts when the number of names (count(name)) is greater than 4 in a 5 minutes time interval, after five minutes, the count will reset and start count again.
This alert must be set in real time or Cron Scheduled time? How Can I define 5 minutes on Cron Expression?

Best Regards,
Monteiro.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-30-2016 06:40 AM

You have to configure an alert using your search with a time period of 5 minutes and schedule it with this cron definition 

*/5 * * * *

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-30-2016 09:04 AM

If, you're ok with a delay of 5min to get the alert, run on Cron schedule time. Real-time alerts are expensive and they never complete. See @Cusello's answer for 5 min cron.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-30-2016 06:40 AM

You have to configure an alert using your search with a time period of 5 minutes and schedule it with this cron definition 

*/5 * * * *

Bye.
Giuseppe

Reply
Solved! Jump to solution

lyndac
Contributor
‎09-30-2016 06:09 AM

I believe the cron expression you are looking for is: 5 * * * *

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-30-2016 09:02 AM

Nopes... this is for running a search hourly at 5th min.

0 Karma
Reply
Solved! Jump to solution

lyndac
Contributor
‎09-30-2016 09:16 AM

Giuseppe is correct above, that is what I thought I typed, but apparently my fingers went another way.
Sorry. */5 * * * * is the correct one.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...