Alerting

During alert creation, if I enable Summary Indexing, how can I tell splunk to use a time field in the data rather than adding one?

lyndac
Contributor

During alert creation, if I enable Summary Indexing, how can I tell splunk to use a time field in the data rather than adding one?

DETAILS:

I have set up an alert with a search that returns a set of fields. The search looks like this:

index=si-br-counts earliest=-30d@d latest=-1d@d |stats count as count sum(filesize) as volume by site, server,priority, _time | bin _time span=1d | eval weekday=strftime(_time,"%w") | eval sub_weekday=strftime(now(), '%w") | eval sub_weekday= subweekday -1 | where weekday==sub_weekday | stats sum(volume as volume sum(count) as count by site,server, _time  |stats avg(count) as avgcount avg(volume) as avgvolume by site, server | appendcols [search index=si-br-counts earliest=-1d@d latest=-0d@d | stats count as count sum(filesize) as volume by site, server,priority, _time |  eval sub_weekday=strftime(_time,"%w")  | stats sum(count) as count sum(volume) as volume by sub_weekday, site,server] |lookup br-alerting.csv site as site server as server OUTPUT lower as lower upper as upper email as recipients site as fsite server as fserver|where fsite==site AND fserver==server |eval highcount=(avgcount*upper) | eval lowcount=(avgcount*lower) | eval highvol =(avgvolume*upper) | eval lowvol=(avgvolume*lower) | eval trigger_time=now() |fields trigger_time, site, server, count, volume, lowcount, highcount, lowvol, highvol 

I have checked the Enable Summary Indexing box and added two fields alert_name and app_name.

After the alert fires, I search the summary index for the last 24 hours. No results. If I change to All Time, I can find my events. They have _time set to the minimum date in the search (which is 30 days ago). This is NOT what I want. I would like _time to be set to the value of the field trigger_time so that I can search easily changing the time from the pulldown. How can I make this happen?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Have you tried adding eval _time=trigger_time to your search?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried adding eval _time=trigger_time to your search?

---
If this reply helps you, Karma would be appreciated.
0 Karma

lyndac
Contributor

Per @richgalloway comment above, adding eval _time=trigger_time to the search fixes the issue.

0 Karma

lyndac
Contributor

OMG -- I SWEAR I tried that and it didn't work. But I just did it again and it did! Thanks!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...