How to create alert in certain index when the word...

sheldonjolly · ‎11-29-2022

Hi All Splunk Experts.

I'd like to create an alert in a certain index when the word "Finished" doesn't appear within five minutes of the word "Starting".

For context, we upload file and see the string "Started" when we don't see the word "Finished" within 5 minutes, I'd like to have an alert.

btw, me regex knowledge is really crap.

Can you help.

Much appreciated,

Sheldon.

richgalloway · ‎11-29-2022

Search for "Starting" or "Finished" and take the first result. If that result is "Starting" and it's at least 5 minutes old then trigger an alert.

index=foo ("Starting" OR "Finished")
| head 1
| search "Starting"
| where (now() - _time) > 300

Trigger the alert if the number of results is not zero.

---
If this reply helps you, Karma would be appreciated.

sheldonjolly · ‎11-29-2022

Hey Rich, I'll give it a try.

Many thanks for the swift reply.

I'll give you a Karma anyway.

Much appreciated,

Sheldon.

How to create alert in certain index when the word "Finished" doesn't appear within five minutes of the word "Starting"?