Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Alerts not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alerts not working
I have enabled few alerts and these are the criterias:
Alert Type: Scheduled by CRON
Time Range: 24 Hours
Cron Expression: * */4 * * *
So as per this expression: The search query will run every 4 hour for the last 24 hours and trigger alerts. (Mail in my case)
Last day my search event count was 350. So why it didnt trigger after it crossed the 120 mark?
Can any one help me on this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you put the search query in 101010 sample code format? Also, are you setting any threshold on the number of results? I see from your question that 120 is the threshold.
My advice is to set the threshold in a query itself and just create an alert as it is without setting any threshold on the UI.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi! Can you please modify your cron expression with 0 */4 * * * and check if that's working?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My cron expression is that only "0 */4 * * *"... but its not working. there is someting with this portal... However the suggested one is my cron expression.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you mention the search and the alert conditions you have configured, so that it's easier to find the solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Current Search Query:
(index=mesb "Status_c=ERROR") source="*/mule-app-csone_logging_v2.0-v201712091010.log" Attribute_1c=CM_ROLE_UNAVAILABLE | eval _time=strptime(CreatedDate, "%Y-%m-%dT%H:%M:%S.%3N%Z") | timechart span=1h count by Attribute_1_c
Should I change to :
(index=mesb "Status_c=ERROR") source="*/mule-app-csone_logging_v2.0-v201712091010.log" Attribute_1c=CM_ROLE_UNAVAILABLE | timechart span=1h count by Attribute_1_c??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you should try the 2nd search, set the alert and check.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
