Alerting

Alert based on time range and message

Jiten009
Explorer

Hi All,

I want to set alerts based on the message in a particular time range. My logs look like :

08 Apr 2013 11:31:48,987 INFO Scheduler-Job-3 FileUtil - time=2013-04-08T11:31:48.987CDT,Level=Info,Message = File scheduler done

This task will execute every day at 11.30, so I want to set an alert if "File scheduler done" message is not appearing in logs between 11.30 to 11.40.

Please help me in creating such alert.

Tags (3)
1 Solution

jonuwz
Influencer

Try this definiing it this way :

search = "File scheduler done"
start time = @d+11h+30m
end time = @d+11h+40m
schedule type = cron
cron schedule = 45 11 * * *
alert condition = if number of events is equal to 0
alert mode = once per search

View solution in original post

Jiten009
Explorer

Hi,

I tried this way and its working. I am not sure if it fails to alert in any exceptional scenario.

earliest=@d+690m latest=@d+700m AND Message != "File scheduler done"

0 Karma

jonuwz
Influencer

Try this definiing it this way :

search = "File scheduler done"
start time = @d+11h+30m
end time = @d+11h+40m
schedule type = cron
cron schedule = 45 11 * * *
alert condition = if number of events is equal to 0
alert mode = once per search

Jiten009
Explorer

Thanks for your help.

0 Karma
Get Updates on the Splunk Community!

Cloud Platform | Customer Change Announcement: Email Notification Will Be Available ...

The Notification Team is migrating our email service provider from Postmark to AWS Simple Email ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...