Alerting

How to create email alert?

mnj1809
Path Finder

I supposed to get the some data in Splunk twice in a day. I want to create 2 email alerts as follows:

  • 9 AM email alert: should alert if no data received at 5 AM and/or if no data received previous day at noon. 
  • 3 PM email alert: should alert if no data received at noon and/or if no data received earlier the same morning at 5.

    Thanks for your help in advance.

    @bowesmana 
Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @mnj1809,

if I correctly understood, you want to schedule:

  • an alert at 9.00 AM using as time period 17 hours (from 12.00 of previous day to 5.00 of present day),
  • an alert at 15.00 using as time period 7 hours (from 5.00 of present day to 12.00 of present day).

Is it correct?

If the time period is the same 8always 12 hours) you could schedule only one alert using this cron expression

0 9,15 * * *

Otherwise, you have to schedule two alerts that differ only for the time period, in other words:

Alert 1, scheduled at 9.00

cron

0 9 * * *

Search

index=your_index earliest=-21h@h latest=-4h@h

Alert 2, scheduled at 15.00

cron 

0 15 * * *

search

index=your_index earliest=-10h@h latest=-3h@h

The condition is always 

results=0

 Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mnj1809,

if I correctly understood, you want to schedule:

  • an alert at 9.00 AM using as time period 17 hours (from 12.00 of previous day to 5.00 of present day),
  • an alert at 15.00 using as time period 7 hours (from 5.00 of present day to 12.00 of present day).

Is it correct?

If the time period is the same 8always 12 hours) you could schedule only one alert using this cron expression

0 9,15 * * *

Otherwise, you have to schedule two alerts that differ only for the time period, in other words:

Alert 1, scheduled at 9.00

cron

0 9 * * *

Search

index=your_index earliest=-21h@h latest=-4h@h

Alert 2, scheduled at 15.00

cron 

0 15 * * *

search

index=your_index earliest=-10h@h latest=-3h@h

The condition is always 

results=0

 Ciao.

Giuseppe

0 Karma

mnj1809
Path Finder

Thanks for you answer. Your answer helped me what I want to achieve.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mnj1809,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...