Alerting

How do I schedule and create a Search Alert?

anandhalagaras1
Communicator

Hi Team,

I have a requirement for alert creating and scheduling the same in Splunk.

So for this below mentioned query :

"index=abc sourcetype=xyz host=mno "load is high"

There would be only one event exactly present for every one hour i.e. (every 60 minutes) for this query so our requirement is that if there is no event for 1 hour and 10 minutes (i.e. 80 minutes) then it needs to trigger an email to the recipients. 

So how to achieve this in alert configuration and how should i need to schedule the cron as well & also what should be the time range should i need to choose as well and what would be the trigger condition we need to set.

 

So kindly help on the same.

 

Labels (4)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @anandhalagaras1,

you have to create a simple search like the ones you shared

index=abc sourcetype=xyz host=mno "load is high" earliest=-80m@m latest=now

and schedule it to execute every hour and trigger when there's no result.

Only one thing: I don't like to have a frequency different than time window because you could have two triggers or the same event, so I hint to use 60 minutes both for frequency and time window.

Ciao.

Giuseppe

0 Karma

anandhalagaras1
Communicator

Thank you for your swift response.

So I have created the query as below:

index=abc sourcetype=xyz host=mno "load is high" earliest=-80m@m latest=now

 

 

And after which when i click to save as Alert.

I need to provide the Alert type as Scheduled and if i choose to run as cron schedule

Run On Cron Schedule

Time Range : Last 60 minutes

Cron Expression : 0 * * * *

Trigger Conditions 

Trigger Alert When : Number of Results

Is equal to 0

 

So that if the keyword is not getting updated for 80 minutes it will through an alert? Correct me if i am wrong.

So will this be fine Kindly update please.

Tags (1)
0 Karma

anandhalagaras1
Communicator

@gcusello 

Thank you for your swift response.

So I have created the query as below:

index=abc sourcetype=xyz host=mno "load is high" earliest=-80m@m latest=now

And after which when i click to save as Alert.

I need to provide the Alert type as Scheduled and if i choose to run as cron schedule

Run On Cron Schedule

Time Range : Last 60 minutes

Cron Expression : 0 * * * *

Trigger Conditions

Trigger Alert When : Number of Results

Is equal to 0

 

So that if the keyword is not getting updated for 80 minutes it will through an alert? Correct me if i am wrong.

So will this be fine Kindly update please.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @anandhalagaras1,

the Trigger Condition: if there isn't any result in the search the alert triggers.

Think about what I said about time period!

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...