Alerts not working

ridutta · ‎01-05-2018

I have enabled few alerts and these are the criterias:

Alert Type: Scheduled by CRON
Time Range: 24 Hours
Cron Expression: * */4 * * *

So as per this expression: The search query will run every 4 hour for the last 24 hours and trigger alerts. (Mail in my case)

Last day my search event count was 350. So why it didnt trigger after it crossed the 120 mark?

Can any one help me on this?

mayurr98 · ‎01-05-2018

Can you put the search query in 101010 sample code format? Also, are you setting any threshold on the number of results? I see from your question that 120 is the threshold.
My advice is to set the threshold in a query itself and just create an alert as it is without setting any threshold on the UI.

MousumiChowdhur · ‎01-05-2018

Hi! Can you please modify your cron expression with 0 */4 * * * and check if that's working?

ridutta · ‎01-05-2018

My cron expression is that only "0 */4 * * *"... but its not working. there is someting with this portal... However the suggested one is my cron expression.

MousumiChowdhur · ‎01-05-2018

Can you mention the search and the alert conditions you have configured, so that it's easier to find the solution.

ridutta · ‎01-05-2018

Current Search Query:
(index=mesb "Status_c=ERROR") source="*/mule-app-csone_logging_v2.0-v201712091010.log" Attribute_1c=CM_ROLE_UNAVAILABLE | eval _time=strptime(CreatedDate, "%Y-%m-%dT%H:%M:%S.%3N%Z") | timechart span=1h count by Attribute_1_c

Should I change to :
(index=mesb "Status_c=ERROR") source="*/mule-app-csone_logging_v2.0-v201712091010.log" Attribute_1c=CM_ROLE_UNAVAILABLE | timechart span=1h count by Attribute_1_c??

MousumiChowdhur · ‎01-05-2018

Yes, you should try the 2nd search, set the alert and check.

Alerts not working

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms