Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Have I properly configured advanced conditional attributes for my alert in savedsearches.conf?

_gkollias
Builder
‎11-12-2015 07:01 AM

This is the first time I am using an advanced conditional alert in savedsearches.conf.

I'd like to get some feedback about current configurations I have around monitoring scheduled jobs.

If a job is hung for x amount of time, the alert should kick off, however one was manually suspended last night and nothing came out. Here is a sample of my savedsearches.conf along with a sample of the search:

[alert]
action.email.inline = 1
action.script = 1
action.script.filename = email_alert.sh
alert.digest_mode = True
alert.expires = 24h
alert.suppress = 0
alert.track = 1
**alert_condition = | where last_run_ago_seconds>7200
counttype = custom**
cron_schedule = 00 09,10,11,12,13,14,15,16,17,18,19,20,21,22 * * *
displayview = flashtimeline
enableSched = 1
search = index=index earliest=-60m@m latest=@m sourcetype=blah <servicenamehere> | head 100 | stats latest(_time) as last_seen, first(host) as host_start by service | addinfo | eval last_run_ago_seconds=round( info_search_time-last_seen ) | stats min(last_run_ago_seconds) as last_run_ago_seconds, values(host_start) as host_start by service | fillnull value="n/a" host_start  | eval message=if(last_run_ago_seconds>7200, "This Job May Be Hung", "Job Looks OK") | table service,last_run_ago_seconds,host_start,message

When I run the search manually things look OK, but I want to make sure my use of alert_condition and counttype are correct. Or, if there is another way of kicking off a similar alert I am open to suggestions.

Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

frobinson_splun
Splunk Employee
Splunk Employee
‎11-13-2015 05:47 PM

Hi @KolGr001,
"Counttype" should not be specified if you are using an "alert_condition" in savedsearches.conf.
http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Savedsearchesconf

The spec file mentions that, if you include an alert_condition, you should not set counttype, relation, or quantity. I've corrected a discrepancy in older versions of our documentation that stated otherwise.

Hope this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

frobinson_splun
Splunk Employee
Splunk Employee
‎11-13-2015 05:47 PM

Hi @KolGr001,
"Counttype" should not be specified if you are using an "alert_condition" in savedsearches.conf.
http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Savedsearchesconf

The spec file mentions that, if you include an alert_condition, you should not set counttype, relation, or quantity. I've corrected a discrepancy in older versions of our documentation that stated otherwise.

Hope this helps!

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...