Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create alert in certain index when the word "Finished" doesn't appear within five minutes of the word "Starting"?

sheldonjolly
Engager
‎11-29-2022 05:49 AM

Hi All Splunk Experts.

I'd like to create an alert in a certain index when the word "Finished" doesn't appear within five minutes of the word "Starting".

For context, we upload file and see the string "Started" when we don't see the word "Finished" within 5 minutes, I'd like to have an alert.

btw, me regex knowledge is really crap.

Can you help.

Much appreciated, 

Sheldon.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-29-2022 07:00 AM

Search for "Starting" or "Finished" and take the first result.  If that result is "Starting" and it's at least 5 minutes old then trigger an alert.

 

index=foo ("Starting" OR "Finished")
| head 1
| search "Starting"
| where (now() - _time) > 300

Trigger the alert if the number of results is not zero.

 

---
If this reply helps you, Karma would be appreciated.
Reply

sheldonjolly
Engager
‎11-29-2022 07:09 AM

Hey Rich, I'll give it a try.

Many thanks for the swift reply.

I'll give you a Karma anyway.

Much appreciated,

Sheldon.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...