Alerting

Help with query to notify when date is older than x amount of days

goken
New Member

Hi all,

 

I have a table called active_services.csv.
One of the fields is called Report_Date

Date value is in the following format 20220124.
The CSV file is automatically updated weekly but sometimes fails and requires manual intervention.

I need help with a query so I can setup an alert to notify me when the report date value is older than X amount of days.

Please help.

Thank you for your help in advance.

Labels (1)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval days=floor((relative_time(now(),"@d")-strptime(report_date,"%Y%m%d"))/(60*60*24))
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @goken,

I suppose that you are ingesting the active_services.csv in an index.

So you could run a search like this (where X=30 days):

index=your_index
| eval Diff=strptime(Report_Date,"%Y%m%d")-86400*30
| where Diff>0

 In this way, if you have results there are events outdated and you can create an alert with this search.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...