Alerting

During alert creation, if I enable Summary Indexing, how can I tell splunk to use a time field in the data rather than adding one?

lyndac
Contributor

During alert creation, if I enable Summary Indexing, how can I tell splunk to use a time field in the data rather than adding one?

DETAILS:

I have set up an alert with a search that returns a set of fields. The search looks like this:

index=si-br-counts earliest=-30d@d latest=-1d@d |stats count as count sum(filesize) as volume by site, server,priority, _time | bin _time span=1d | eval weekday=strftime(_time,"%w") | eval sub_weekday=strftime(now(), '%w") | eval sub_weekday= subweekday -1 | where weekday==sub_weekday | stats sum(volume as volume sum(count) as count by site,server, _time  |stats avg(count) as avgcount avg(volume) as avgvolume by site, server | appendcols [search index=si-br-counts earliest=-1d@d latest=-0d@d | stats count as count sum(filesize) as volume by site, server,priority, _time |  eval sub_weekday=strftime(_time,"%w")  | stats sum(count) as count sum(volume) as volume by sub_weekday, site,server] |lookup br-alerting.csv site as site server as server OUTPUT lower as lower upper as upper email as recipients site as fsite server as fserver|where fsite==site AND fserver==server |eval highcount=(avgcount*upper) | eval lowcount=(avgcount*lower) | eval highvol =(avgvolume*upper) | eval lowvol=(avgvolume*lower) | eval trigger_time=now() |fields trigger_time, site, server, count, volume, lowcount, highcount, lowvol, highvol 

I have checked the Enable Summary Indexing box and added two fields alert_name and app_name.

After the alert fires, I search the summary index for the last 24 hours. No results. If I change to All Time, I can find my events. They have _time set to the minimum date in the search (which is 30 days ago). This is NOT what I want. I would like _time to be set to the value of the field trigger_time so that I can search easily changing the time from the pulldown. How can I make this happen?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Have you tried adding eval _time=trigger_time to your search?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried adding eval _time=trigger_time to your search?

---
If this reply helps you, Karma would be appreciated.
0 Karma

lyndac
Contributor

Per @richgalloway comment above, adding eval _time=trigger_time to the search fixes the issue.

0 Karma

lyndac
Contributor

OMG -- I SWEAR I tried that and it didn't work. But I just did it again and it did! Thanks!

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...