Alerting

How to create email alert?

mnj1809
Path Finder

I supposed to get the some data in Splunk twice in a day. I want to create 2 email alerts as follows:

  • 9 AM email alert: should alert if no data received at 5 AM and/or if no data received previous day at noon. 
  • 3 PM email alert: should alert if no data received at noon and/or if no data received earlier the same morning at 5.

    Thanks for your help in advance.

    @bowesmana 
Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @mnj1809,

if I correctly understood, you want to schedule:

  • an alert at 9.00 AM using as time period 17 hours (from 12.00 of previous day to 5.00 of present day),
  • an alert at 15.00 using as time period 7 hours (from 5.00 of present day to 12.00 of present day).

Is it correct?

If the time period is the same 8always 12 hours) you could schedule only one alert using this cron expression

0 9,15 * * *

Otherwise, you have to schedule two alerts that differ only for the time period, in other words:

Alert 1, scheduled at 9.00

cron

0 9 * * *

Search

index=your_index earliest=-21h@h latest=-4h@h

Alert 2, scheduled at 15.00

cron 

0 15 * * *

search

index=your_index earliest=-10h@h latest=-3h@h

The condition is always 

results=0

 Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mnj1809,

if I correctly understood, you want to schedule:

  • an alert at 9.00 AM using as time period 17 hours (from 12.00 of previous day to 5.00 of present day),
  • an alert at 15.00 using as time period 7 hours (from 5.00 of present day to 12.00 of present day).

Is it correct?

If the time period is the same 8always 12 hours) you could schedule only one alert using this cron expression

0 9,15 * * *

Otherwise, you have to schedule two alerts that differ only for the time period, in other words:

Alert 1, scheduled at 9.00

cron

0 9 * * *

Search

index=your_index earliest=-21h@h latest=-4h@h

Alert 2, scheduled at 15.00

cron 

0 15 * * *

search

index=your_index earliest=-10h@h latest=-3h@h

The condition is always 

results=0

 Ciao.

Giuseppe

0 Karma

mnj1809
Path Finder

Thanks for you answer. Your answer helped me what I want to achieve.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mnj1809,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...