Alerting
Highlighted

How do you create an alert in Splunk that checks a file for one code and then must see another code within 4 hours or a ticket is cut?

Path Finder

I need to create an alert that checks for a particular code number, and when it comes in, then if another code doesn't come in within 4 hours, a ticket is cut. I know how to check for the first code, but I'm not certain how to do the span and search for the 2nd code number.

0 Karma
Highlighted

Re: How do you create an alert in Splunk that checks a file for one code and then must see another code within 4 hours or a ticket is cut?

SplunkTrust
SplunkTrust

This may get you started.

<your search for the code number> earliest=-4h | stats count | where count<2
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How do you create an alert in Splunk that checks a file for one code and then must see another code within 4 hours or a ticket is cut?

Path Finder

So I'm assuming that after that part of the code I would put in the if count not zero, send alert?

0 Karma
Highlighted

Re: How do you create an alert in Splunk that checks a file for one code and then must see another code within 4 hours or a ticket is cut?

SplunkTrust
SplunkTrust

Not quite. Leave the query as it is and set your alert to trigger if the number of results is not zero.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How do you create an alert in Splunk that checks a file for one code and then must see another code within 4 hours or a ticket is cut?

Path Finder

I will give this a try.

0 Karma
Highlighted

Re: How do you create an alert in Splunk that checks a file for one code and then must see another code within 4 hours or a ticket is cut?

Esteemed Legend

Assuming that you have a field like account that you need to group by, run something like this every hour with the timepicker set to "Last 5 Hours" (set your alert trigger to when = number of results and is greater than 0)

| makeresults 
| eval account="foo bar bat"
| makemv account
| mvexpand account
| eval code=case(account=="foo", "start middle middle stop", account=="bar", "stop", true(), "start")
| makemv code
| mvexpand code
| stats max(_time) AS _time first(code) AS code BY account
| where code=="start" AND _time <= relative_time(now(), "-240min")
0 Karma