Background: I have one job that runs once a day every day.
Need: I need an alert that triggers when this job runs on the current date.
Issue: I am unable to use "Real time" alerts, so I need a solution that uses Scheduled alerting. I also only want one alert email to be sent off when it is triggered.
Any help is appreciated. Thank you
This method works. However, the job has has ran for today, but the alert continues to trigger every 5 minutes. Is there a way to trigger it once and stop triggering until the beginning of its to run tomorrow? Thank you
I guess that depends on how the search works and what the data looks like. I assumed you'd have a log entry at like 8am that a job ran and then you wouldn't have another until the next day.
So what does your data look like and how are you searching it?
That is correct. The job runs once a day. It does not run at the exact same time, but usually a few minutes off.
NameOfJob=ExampleJobName | spath timestamp
| stats earliest(timestamp) as BeginTime , latest(timestamp) as StopTime
count by NameOfJob
data: Uses a timestamp method. Has an early timestamp(beginning) and later timestamp(end). Looking for start and end time of the job. Alerts when job has ended.
So what is the timestamp of the event based on then? Why would you see a job that ended say 20 minutes ago if you're only searching for the past 5 minutes?
In any case, you could filter out data where the StopTime is greater than 5 minutes ago. Not sure what format the timestamp is in, but assuming you could use strptime to make it epoch if not already, then something like:
... | where StopTime > relative_time(now(),"-5m")
can you explain why it is generating more than once? It's hard for me to infer the problem because for any of my data sets, this would work fine. Can you provide an example of when you can alert more than once?