Alerting

How do I schedule and create a Search Alert?

anandhalagaras1
Communicator

Hi Team,

I have a requirement for alert creating and scheduling the same in Splunk.

So for this below mentioned query :

"index=abc sourcetype=xyz host=mno "load is high"

There would be only one event exactly present for every one hour i.e. (every 60 minutes) for this query so our requirement is that if there is no event for 1 hour and 10 minutes (i.e. 80 minutes) then it needs to trigger an email to the recipients. 

So how to achieve this in alert configuration and how should i need to schedule the cron as well & also what should be the time range should i need to choose as well and what would be the trigger condition we need to set.

 

So kindly help on the same.

 

Labels (4)
0 Karma

gcusello
Esteemed Legend

Hi @anandhalagaras1,

you have to create a simple search like the ones you shared

index=abc sourcetype=xyz host=mno "load is high" earliest=-80m@m latest=now

and schedule it to execute every hour and trigger when there's no result.

Only one thing: I don't like to have a frequency different than time window because you could have two triggers or the same event, so I hint to use 60 minutes both for frequency and time window.

Ciao.

Giuseppe

0 Karma

anandhalagaras1
Communicator

Thank you for your swift response.

So I have created the query as below:

index=abc sourcetype=xyz host=mno "load is high" earliest=-80m@m latest=now

 

 

And after which when i click to save as Alert.

I need to provide the Alert type as Scheduled and if i choose to run as cron schedule

Run On Cron Schedule

Time Range : Last 60 minutes

Cron Expression : 0 * * * *

Trigger Conditions 

Trigger Alert When : Number of Results

Is equal to 0

 

So that if the keyword is not getting updated for 80 minutes it will through an alert? Correct me if i am wrong.

So will this be fine Kindly update please.

Tags (1)
0 Karma

anandhalagaras1
Communicator

@gcusello 

Thank you for your swift response.

So I have created the query as below:

index=abc sourcetype=xyz host=mno "load is high" earliest=-80m@m latest=now

And after which when i click to save as Alert.

I need to provide the Alert type as Scheduled and if i choose to run as cron schedule

Run On Cron Schedule

Time Range : Last 60 minutes

Cron Expression : 0 * * * *

Trigger Conditions

Trigger Alert When : Number of Results

Is equal to 0

 

So that if the keyword is not getting updated for 80 minutes it will through an alert? Correct me if i am wrong.

So will this be fine Kindly update please.

0 Karma

gcusello
Esteemed Legend

Hi @anandhalagaras1,

the Trigger Condition: if there isn't any result in the search the alert triggers.

Think about what I said about time period!

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...