Re: Alert doesn't run each minute

mclane1 · ‎05-18-2021

Hello,

I created a small alert compiling data per minute for the last 24 hours:

(index=my*filter) (myConstraint) | bin span=1m _time
| eval fieldX=formule
| stats count(eval(field="OK")) AS OK, count as Total by index, field1, ..., fieldN, _time
| append [| inputlookup MyLookup.csv | addinfo | where _time > relative_time(info_max_time, "-24h")]
| stats max(OK) as OK, max(Total) as Total by index, field1, ..., fieldN, _time
| outputlookup append=f MyLookup.csv

I configure the alert with earliest=-5m and latest=now

Schedule window : 0

I try with and without acceleration without success.

I schedule my search : * * * * *

Expiration : I keep 1 h of alerts

The alert runs correctly but, it runs each 5 to 10 minutes.

I see in tasks the execution time is less than 15s (between 6 and 15 sec) :

The goal : another alert must run each 5 min and must look last 2h to generate alerts. Directly on the real time the alert duration is 3 min. I hope the inspect the "lookup" is quicker.

anthonymelita · ‎05-18-2021

Have you checked the audittrail rather than relying on the UI?

index=_audit sourcetype=audittrail action="search" info="completed" savedsearch_name=[your alert]

mclane1 · ‎05-19-2021

Hello,

Sorry, I'm using splunk 6.4.2

I find this command :

index=_internal "INFO StreamedSearch - Streamed search connection terminated" savedsearch_name="My_Alert" | table _time, search_id, server, active_searches, elapsedTime, search, savedsearch_name

And the frequency is the same. I schedule a mail for each alert, and it's the same in my outlook than on splunk.

Alert doesn't run each minute

alert action

cron

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation