Re: Alert doesn't run each minute

mclane1 · ‎05-18-2021

Hello,

I created a small alert compiling data per minute for the last 24 hours:

(index=my*filter) (myConstraint) | bin span=1m _time
| eval fieldX=formule
| stats count(eval(field="OK")) AS OK, count as Total by index, field1, ..., fieldN, _time
| append [| inputlookup MyLookup.csv | addinfo | where _time > relative_time(info_max_time, "-24h")]
| stats max(OK) as OK, max(Total) as Total by index, field1, ..., fieldN, _time
| outputlookup append=f MyLookup.csv

I configure the alert with earliest=-5m and latest=now

Schedule window : 0

I try with and without acceleration without success.

I schedule my search : * * * * *

Expiration : I keep 1 h of alerts

The alert runs correctly but, it runs each 5 to 10 minutes.

I see in tasks the execution time is less than 15s (between 6 and 15 sec) :

The goal : another alert must run each 5 min and must look last 2h to generate alerts. Directly on the real time the alert duration is 3 min. I hope the inspect the "lookup" is quicker.

anthonymelita · ‎05-18-2021

Have you checked the audittrail rather than relying on the UI?

index=_audit sourcetype=audittrail action="search" info="completed" savedsearch_name=[your alert]

mclane1 · ‎05-19-2021

Hello,

Sorry, I'm using splunk 6.4.2

I find this command :

index=_internal "INFO StreamedSearch - Streamed search connection terminated" savedsearch_name="My_Alert" | table _time, search_id, server, active_searches, elapsedTime, search, savedsearch_name

And the frequency is the same. I schedule a mail for each alert, and it's the same in my outlook than on splunk.

Alert doesn't run each minute

alert action

cron

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!