Hi Team,
I have a requirement for alert creating and scheduling the same in Splunk.
So for this below mentioned query :
"index=abc sourcetype=xyz host=mno "load is high"
There would be only one event exactly present for every one hour i.e. (every 60 minutes) for this query so our requirement is that if there is no event for 1 hour and 10 minutes (i.e. 80 minutes) then it needs to trigger an email to the recipients.
So how to achieve this in alert configuration and how should i need to schedule the cron as well & also what should be the time range should i need to choose as well and what would be the trigger condition we need to set.
So kindly help on the same.
Hi @anandhalagaras1,
you have to create a simple search like the ones you shared
index=abc sourcetype=xyz host=mno "load is high" earliest=-80m@m latest=now
and schedule it to execute every hour and trigger when there's no result.
Only one thing: I don't like to have a frequency different than time window because you could have two triggers or the same event, so I hint to use 60 minutes both for frequency and time window.
Ciao.
Giuseppe
Thank you for your swift response.
So I have created the query as below:
index=abc sourcetype=xyz host=mno "load is high" earliest=-80m@m latest=now
And after which when i click to save as Alert.
I need to provide the Alert type as Scheduled and if i choose to run as cron schedule
Run On Cron Schedule
Time Range : Last 60 minutes
Cron Expression : 0 * * * *
Trigger Conditions
Trigger Alert When : Number of Results
Is equal to 0
So that if the keyword is not getting updated for 80 minutes it will through an alert? Correct me if i am wrong.
So will this be fine Kindly update please.
Thank you for your swift response.
So I have created the query as below:
index=abc sourcetype=xyz host=mno "load is high" earliest=-80m@m latest=now
And after which when i click to save as Alert.
I need to provide the Alert type as Scheduled and if i choose to run as cron schedule
Run On Cron Schedule
Time Range : Last 60 minutes
Cron Expression : 0 * * * *
Trigger Conditions
Trigger Alert When : Number of Results
Is equal to 0
So that if the keyword is not getting updated for 80 minutes it will through an alert? Correct me if i am wrong.
So will this be fine Kindly update please.
Hi @anandhalagaras1,
the Trigger Condition: if there isn't any result in the search the alert triggers.
Think about what I said about time period!
Ciao.
Giuseppe