Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert doesn't run each minute

mclane1
Path Finder
‎05-18-2021 09:23 AM

Hello,

I created a small alert compiling data per minute for the last 24 hours:

 

 

(index=my*filter) (myConstraint) | bin span=1m _time
| eval fieldX=formule
| stats count(eval(field="OK")) AS OK, count as Total by index, field1, ..., fieldN, _time
| append [| inputlookup MyLookup.csv | addinfo | where _time > relative_time(info_max_time, "-24h")]
| stats max(OK) as OK, max(Total) as Total by index, field1, ..., fieldN, _time
| outputlookup append=f MyLookup.csv

 

 

I configure the alert with earliest=-5m and latest=now

Schedule window : 0

I try with and without acceleration without success.

I schedule my search : * * * * *

Expiration : I keep 1 h of alerts

The alert runs correctly but, it runs each 5 to 10 minutes.

I see in tasks the execution time is less than 15s (between 6 and 15 sec) :
 

Execution.jpg

 

 

 

 

 

 

 

 

 

The goal : another alert must run each 5 min and must look last 2h to generate alerts. Directly on the real time the alert duration is 3 min. I hope the inspect the "lookup" is quicker.

 

Labels (2)
Labels
0 Karma
Reply

anthonymelita
Contributor
‎05-18-2021 04:01 PM

Have you checked the audittrail rather than relying on the UI?

index=_audit sourcetype=audittrail action="search" info="completed" savedsearch_name=[your alert]

Reply

mclane1
Path Finder
‎05-19-2021 07:52 AM

Hello,

Sorry, I'm using splunk 6.4.2

I find this command :

index=_internal "INFO StreamedSearch - Streamed search connection terminated" savedsearch_name="My_Alert" | table _time, search_id, server, active_searches, elapsedTime, search, savedsearch_name

And the frequency is the same. I schedule a mail for each alert, and it's the same in my outlook than on splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...