How can I use splunk scheduled alert like real tim...

Aj01 · ‎01-11-2023

I need to create a alert for service for but real time alert are disabled by admin, now i need to create a alert that if my service got bad service alert more then 5 it will send me mail immediately, i created alert but alert is sending email at the end of time range cycle like in cron expression i set

Time range:- "last 30 minutes"

Cron expression :- */30 * * * *

expires in 24 hours

it is running and giving email also but not on alert time but at the end of cycle after 30 min, is there any way to make it trigger alert on same time as alert coming.

Please help me...

gcusello · ‎01-11-2023

Hi @Aj01,

real time alerts consume too many resources so they are usually disabled.

But you can set a scheduled alert to run every 5 minutes or every 1 minute, so you have a near real time alert.

Ciao.

Giuseppe

Aj01 · ‎01-11-2023

i want alert to work like if there is more then 5 alert we should receive one email at the time of 5th alert but its coming at end of cycle end and if i set it to run for every 5 min or 1 min and alerts come like 2 alerts in first 5 min cycle and 3 after 5 min it will not trigger the alert right.

Thats why i set it for 30 min but the email is coming at end of 30 min cycle.

Any solution....for that

gcusello · ‎01-11-2023

Hi @Aj01,

you could run an alert that exceed the scheduling time (e.g. run the alert every 5 minutes using a timeframe of 10).

Than configure the throttle for e.g. 5 minutes.

In this way you can check the threshold in a larger time period than the scheduling window, but your alert is triggered only one time.

Ciao.

Giuseppe

How can I use splunk scheduled alert like real time alert?

alert action

alert condition

cron

email

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM