Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create Splunk alert for event not generated in last 10 minutes?

ravir_jbp
Explorer
‎03-21-2022 02:50 AM

 

Trying to setup alert for two scenarios as metioned below:

Scenario 1: to determine if the connection between Xyz and the abc service is healthy, check for the string “IEX API Call Successfully got agent schedules data”   This message occurs in batches roughly every 5 minutes.  Good threshold might be to alert if This message is not seen in >= 10 minutes. 


Scenario 2: Another item to check would be the connection between the service and the xyz host.  The String for that is “Schedule successfully posted to the provider API”.  The cadence for those messages is the same so an absence of > 10 minutes may be a good place to start. 

Below are the samnple splunk events. I would like to setup an alert if these keywords event does not appears in last 10 minutes then send e-mail alert. Please help.

3/21/22
4:44:13.000 AM	
2022-03-21 04:44:13 [pool-6-thread-2] INFO  c.i.e.i.s.c.i.AgentResourceServiceImpl - IEX API Call Successfully got agent schedules data.

3/21/22
4:44:13.000 AM	 
2022-03-21 04:44:13 [pool-6-thread-2] INFO  c.i.e.i.s.c.i.AgentResourceServiceImpl - IEX API Call Successfully got agent schedules data.

3/21/22
4:44:13.000 AM	
2022-03-21 04:44:13 [pool-6-thread-2] INFO  c.i.e.i.s.c.i.AgentResourceServiceImpl - IEX API Call Successfully got agent schedules data.

3/21/22
4:44:13.000 AM	
2022-03-21 04:44:13 [pool-6-thread-2] INFO  c.i.e.f.a.w.s.i.SchedulesServiceImpl - Schedule successfully posted to the provider Api.

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-21-2022 02:59 AM

Create a couple of reports which look at events in the previous 10  minutes (or 5 minutes if appropriate), one which searches for the first string and the other searches for the second string. If you get no results, trigger the alert with the send email action.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-21-2022 02:55 AM

Hi @ravir_jbp,

you have to crea simple search like the following:

index=your_index “IEX API Call Successfully got agent schedules data” earliest=-10m@m latest=@m

or 

index=your_index “Schedule successfully posted to the provider API” earliest=-10m@m latest=@m

then create an alert for each search that triggers when there isn't any result (results=0).

Check the delay of your events, and eventually use a different time frame e.g. 

earliest=-15m@m latest=-5m@m

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...