Alerting

During alert creation, if I enable Summary Indexing, how can I tell splunk to use a time field in the data rather than adding one?

Contributor

During alert creation, if I enable Summary Indexing, how can I tell splunk to use a time field in the data rather than adding one?

DETAILS:

I have set up an alert with a search that returns a set of fields. The search looks like this:

index=si-br-counts earliest=-30d@d latest=-1d@d |stats count as count sum(filesize) as volume by site, server,priority, _time | bin _time span=1d | eval weekday=strftime(_time,"%w") | eval sub_weekday=strftime(now(), '%w") | eval sub_weekday= subweekday -1 | where weekday==sub_weekday | stats sum(volume as volume sum(count) as count by site,server, _time  |stats avg(count) as avgcount avg(volume) as avgvolume by site, server | appendcols [search index=si-br-counts earliest=-1d@d latest=-0d@d | stats count as count sum(filesize) as volume by site, server,priority, _time |  eval sub_weekday=strftime(_time,"%w")  | stats sum(count) as count sum(volume) as volume by sub_weekday, site,server] |lookup br-alerting.csv site as site server as server OUTPUT lower as lower upper as upper email as recipients site as fsite server as fserver|where fsite==site AND fserver==server |eval highcount=(avgcount*upper) | eval lowcount=(avgcount*lower) | eval highvol =(avgvolume*upper) | eval lowvol=(avgvolume*lower) | eval trigger_time=now() |fields trigger_time, site, server, count, volume, lowcount, highcount, lowvol, highvol 

I have checked the Enable Summary Indexing box and added two fields alertname and appname.

After the alert fires, I search the summary index for the last 24 hours. No results. If I change to All Time, I can find my events. They have time set to the minimum date in the search (which is 30 days ago). This is NOT what I want. I would like _time to be set to the value of the field triggertime so that I can search easily changing the time from the pulldown. How can I make this happen?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Have you tried adding eval _time=trigger_time to your search?

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Have you tried adding eval _time=trigger_time to your search?

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

Contributor

Per @richgalloway comment above, adding eval time=triggertime to the search fixes the issue.

0 Karma

Contributor

OMG -- I SWEAR I tried that and it didn't work. But I just did it again and it did! Thanks!

0 Karma