Solved: Alert based on time range and message

Jiten009 · ‎04-09-2013

Hi All,

I want to set alerts based on the message in a particular time range. My logs look like :

08 Apr 2013 11:31:48,987 INFO Scheduler-Job-3 FileUtil - time=2013-04-08T11:31:48.987CDT,Level=Info,Message = File scheduler done

This task will execute every day at 11.30, so I want to set an alert if "File scheduler done" message is not appearing in logs between 11.30 to 11.40.

Please help me in creating such alert.

jonuwz · ‎04-09-2013

Try this definiing it this way :

search = "File scheduler done"
start time = @d+11h+30m
end time = @d+11h+40m
schedule type = cron
cron schedule = 45 11 * * *
alert condition = if number of events is equal to 0
alert mode = once per search

View solution in original post

Jiten009 · ‎04-09-2013

Hi,

I tried this way and its working. I am not sure if it fails to alert in any exceptional scenario.

earliest=@d+690m latest=@d+700m AND Message != "File scheduler done"

jonuwz · ‎04-09-2013

Try this definiing it this way :

search = "File scheduler done"
start time = @d+11h+30m
end time = @d+11h+40m
schedule type = cron
cron schedule = 45 11 * * *
alert condition = if number of events is equal to 0
alert mode = once per search

Jiten009 · ‎04-09-2013

Thanks for your help.

Alert based on time range and message

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life