Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create alert when same warning keep coming for more than 5 hours

JYTTEJ
Communicator
‎06-28-2011 03:11 AM

During maintenance we get the same application alert: MON001E on each trx. I want to set up an alert if application alert MON001E keep coming for more than 5 hours.

The search is to be scheduled to run each hour 24/7

If this application alert (MON001E) keep coming for more than 5 hours, SPLUNK must give an alert.

Example:no SPLUNK alert:

First MON001E at 01:00:00

Last MON001E at 05:00:00

Example: SPLUNK Alert:

First MON001E at 02:00

Last MON001E at 09:00

SPLUNK must alert at 08:00

Will this search do the trick?:

MID=MON001E earliest-6h latest=-1h

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

joelshprentz
Path Finder
‎06-28-2011 02:49 PM

Try this search:

MID=MON001E earliest=-6h@h latest=@h | timechart span=1h count | eval count=min(1, count) | stats sum(count) as alertHours

Send an alert whenever alertHours > 5.

The search collects six hours of data matching MON001E. The timechart counts how many matches occur in each of the six hours. The eval limits those counts to be either 0 (no matches) or 1 (at least one MON001E). The stats totals the number of hours with at least one MON001E.

I interpreted your question as, "Send an alert whenever MID=MON001E occurs in six consecutive hours."

View solution in original post

Reply
Solved! Jump to solution
Solution

joelshprentz
Path Finder
‎06-28-2011 02:49 PM

Try this search:

MID=MON001E earliest=-6h@h latest=@h | timechart span=1h count | eval count=min(1, count) | stats sum(count) as alertHours

Send an alert whenever alertHours > 5.

The search collects six hours of data matching MON001E. The timechart counts how many matches occur in each of the six hours. The eval limits those counts to be either 0 (no matches) or 1 (at least one MON001E). The stats totals the number of hours with at least one MON001E.

I interpreted your question as, "Send an alert whenever MID=MON001E occurs in six consecutive hours."

Reply
Solved! Jump to solution

JYTTEJ
Communicator
‎06-29-2011 03:53 AM

great! Thank you very much

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...