Alerting

How do you create an alert in Splunk that checks a file for one code and then must see another code within 4 hours or a ticket is cut?

nls7010
Path Finder

I need to create an alert that checks for a particular code number, and when it comes in, then if another code doesn't come in within 4 hours, a ticket is cut. I know how to check for the first code, but I'm not certain how to do the span and search for the 2nd code number.

0 Karma

woodcock
Esteemed Legend

Assuming that you have a field like account that you need to group by, run something like this every hour with the timepicker set to "Last 5 Hours" (set your alert trigger to when = number of results and is greater than 0)

| makeresults 
| eval account="foo bar bat"
| makemv account
| mvexpand account
| eval code=case(account=="foo", "start middle middle stop", account=="bar", "stop", true(), "start")
| makemv code
| mvexpand code
| stats max(_time) AS _time first(code) AS code BY account
| where code=="start" AND _time <= relative_time(now(), "-240min")
0 Karma

richgalloway
SplunkTrust
SplunkTrust

This may get you started.

<your search for the code number> earliest=-4h | stats count | where count<2
---
If this reply helps you, Karma would be appreciated.
0 Karma

nls7010
Path Finder

So I'm assuming that after that part of the code I would put in the if count not zero, send alert?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Not quite. Leave the query as it is and set your alert to trigger if the number of results is not zero.

---
If this reply helps you, Karma would be appreciated.
0 Karma

nls7010
Path Finder

I will give this a try.

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...