Alerting
Highlighted

How to create a scheduled alert that behaves similar to a real time alert

Engager

Background: I have one job that runs once a day every day.
Need: I need an alert that triggers when this job runs on the current date.
Issue: I am unable to use "Real time" alerts, so I need a solution that uses Scheduled alerting. I also only want one alert email to be sent off when it is triggered.

Any help is appreciated. Thank you

Tags (2)
0 Karma
Highlighted

Re: How to create a scheduled alert that behaves similar to a real time alert

Champion

run it every 5 minutes only, looking back over the previous 5 minutes?

0 Karma
Highlighted

Re: How to create a scheduled alert that behaves similar to a real time alert

Engager

That may work. Can you include the fields I should input that will make this happen? Thank you

0 Karma
Highlighted

Re: How to create a scheduled alert that behaves similar to a real time alert

Champion

create your search and use the time picker to run it over the past 5 minutes.
save that as an alert
choose to run it on a cron schedule and set that to */5 * * * *

0 Karma
Highlighted

Re: How to create a scheduled alert that behaves similar to a real time alert

Engager

This method works. However, the job has has ran for today, but the alert continues to trigger every 5 minutes. Is there a way to trigger it once and stop triggering until the beginning of its to run tomorrow? Thank you

0 Karma
Highlighted

Re: How to create a scheduled alert that behaves similar to a real time alert

Champion

I guess that depends on how the search works and what the data looks like. I assumed you'd have a log entry at like 8am that a job ran and then you wouldn't have another until the next day.

So what does your data look like and how are you searching it?

0 Karma
Highlighted

Re: How to create a scheduled alert that behaves similar to a real time alert

Engager

That is correct. The job runs once a day. It does not run at the exact same time, but usually a few minutes off.

search:
NameOfJob=ExampleJobName | spath timestamp

| stats earliest(timestamp) as BeginTime , latest(timestamp) as StopTime
count by NameOfJob

data: Uses a timestamp method. Has an early timestamp(beginning) and later timestamp(end). Looking for start and end time of the job. Alerts when job has ended.

0 Karma
Highlighted

Re: How to create a scheduled alert that behaves similar to a real time alert

Champion

So what is the timestamp of the event based on then? Why would you see a job that ended say 20 minutes ago if you're only searching for the past 5 minutes?

In any case, you could filter out data where the StopTime is greater than 5 minutes ago. Not sure what format the timestamp is in, but assuming you could use strptime to make it epoch if not already, then something like:

... | where StopTime > relative_time(now(),"-5m")

0 Karma
Highlighted

Re: How to create a scheduled alert that behaves similar to a real time alert

Engager

This works. However, I would like to have the email for the alert generate once. Any help is appreciated.

0 Karma
Highlighted

Re: How to create a scheduled alert that behaves similar to a real time alert

Champion

can you explain why it is generating more than once? It's hard for me to infer the problem because for any of my data sets, this would work fine. Can you provide an example of when you can alert more than once?

0 Karma