Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create email alert?

mnj1809
Path Finder
‎02-24-2022 12:32 PM

I supposed to get the some data in Splunk twice in a day. I want to create 2 email alerts as follows:

  • 9 AM email alert: should alert if no data received at 5 AM and/or if no data received previous day at noon. 
  • 3 PM email alert: should alert if no data received at noon and/or if no data received earlier the same morning at 5.

    Thanks for your help in advance.

    @bowesmana 
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-24-2022 11:04 PM

Hi @mnj1809,

if I correctly understood, you want to schedule:

  • an alert at 9.00 AM using as time period 17 hours (from 12.00 of previous day to 5.00 of present day),
  • an alert at 15.00 using as time period 7 hours (from 5.00 of present day to 12.00 of present day).

Is it correct?

If the time period is the same 8always 12 hours) you could schedule only one alert using this cron expression

0 9,15 * * *

Otherwise, you have to schedule two alerts that differ only for the time period, in other words:

Alert 1, scheduled at 9.00

cron

0 9 * * *

Search

index=your_index earliest=-21h@h latest=-4h@h

Alert 2, scheduled at 15.00

cron 

0 15 * * *

search

index=your_index earliest=-10h@h latest=-3h@h

The condition is always 

results=0

 Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-24-2022 11:04 PM

Hi @mnj1809,

if I correctly understood, you want to schedule:

  • an alert at 9.00 AM using as time period 17 hours (from 12.00 of previous day to 5.00 of present day),
  • an alert at 15.00 using as time period 7 hours (from 5.00 of present day to 12.00 of present day).

Is it correct?

If the time period is the same 8always 12 hours) you could schedule only one alert using this cron expression

0 9,15 * * *

Otherwise, you have to schedule two alerts that differ only for the time period, in other words:

Alert 1, scheduled at 9.00

cron

0 9 * * *

Search

index=your_index earliest=-21h@h latest=-4h@h

Alert 2, scheduled at 15.00

cron 

0 15 * * *

search

index=your_index earliest=-10h@h latest=-3h@h

The condition is always 

results=0

 Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

mnj1809
Path Finder
‎02-27-2022 11:58 PM

Thanks for you answer. Your answer helped me what I want to achieve.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-27-2022 11:58 PM

Hi @mnj1809,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...