Alerting

How do I schedule and create a Search Alert?

anandhalagaras1
Communicator

Hi Team,

I have a requirement for alert creating and scheduling the same in Splunk.

So for this below mentioned query :

"index=abc sourcetype=xyz host=mno "load is high"

There would be only one event exactly present for every one hour i.e. (every 60 minutes) for this query so our requirement is that if there is no event for 1 hour and 10 minutes (i.e. 80 minutes) then it needs to trigger an email to the recipients. 

So how to achieve this in alert configuration and how should i need to schedule the cron as well & also what should be the time range should i need to choose as well and what would be the trigger condition we need to set.

 

So kindly help on the same.

 

Labels (4)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @anandhalagaras1,

you have to create a simple search like the ones you shared

index=abc sourcetype=xyz host=mno "load is high" earliest=-80m@m latest=now

and schedule it to execute every hour and trigger when there's no result.

Only one thing: I don't like to have a frequency different than time window because you could have two triggers or the same event, so I hint to use 60 minutes both for frequency and time window.

Ciao.

Giuseppe

0 Karma

anandhalagaras1
Communicator

Thank you for your swift response.

So I have created the query as below:

index=abc sourcetype=xyz host=mno "load is high" earliest=-80m@m latest=now

 

 

And after which when i click to save as Alert.

I need to provide the Alert type as Scheduled and if i choose to run as cron schedule

Run On Cron Schedule

Time Range : Last 60 minutes

Cron Expression : 0 * * * *

Trigger Conditions 

Trigger Alert When : Number of Results

Is equal to 0

 

So that if the keyword is not getting updated for 80 minutes it will through an alert? Correct me if i am wrong.

So will this be fine Kindly update please.

Tags (1)
0 Karma

anandhalagaras1
Communicator

@gcusello 

Thank you for your swift response.

So I have created the query as below:

index=abc sourcetype=xyz host=mno "load is high" earliest=-80m@m latest=now

And after which when i click to save as Alert.

I need to provide the Alert type as Scheduled and if i choose to run as cron schedule

Run On Cron Schedule

Time Range : Last 60 minutes

Cron Expression : 0 * * * *

Trigger Conditions

Trigger Alert When : Number of Results

Is equal to 0

 

So that if the keyword is not getting updated for 80 minutes it will through an alert? Correct me if i am wrong.

So will this be fine Kindly update please.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @anandhalagaras1,

the Trigger Condition: if there isn't any result in the search the alert triggers.

Think about what I said about time period!

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Tech Talk | Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

Tech Talk | 3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...

Thank You for Celebrating CX Day with Splunk!

Yesterday the entire team at Splunk + Cisco joined the global celebration of CX Day - celebrating our ...