Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create alert if no up alert received within 1 minutes?

Raymundo
Loves-to-Learn
‎03-21-2023 07:35 PM

I have two types of events when the interface is down and when it is up


It usually happens that the interface comes down, after 10 seconds it goes back up.

* An event arrives where it tells me that the interface is down
* Another event arrives where it tells me that the interface is up and it was down for 10 seconds.

I would like to alert if the interface does not come back up in a period of 1 minute.

I have tried several options but I have not been able to make it alert.

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-21-2023 10:07 PM

Hi @Raymundo ,

I suppose that the messages are: system_down and system_up, otherwise adapt my search:

index=your_index (message="system_up" OR message="system_down")
| eval status=if(message="system_up","system_up","system_down")
| stats dc(status) AS status_count values(status) AS status
| where dc_status=1 AND status="system_up"

to run every minute.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...