Re: How to get an alert only when the count is con...

sahil237888 · ‎08-14-2018

I want to run a query for every 10 minutes timeframe. But it should alert only when count is continuously 0 for consecutive 5 minutes.

livehybrid · ‎08-14-2018

So, schedule a search that runs every 10 minutes that does this:
index=main | timechart span=1m dc(src_ip) as testCount | eval error=IF(testCount>0, 1, 0) | streamstats window=5 sum(error) as errorSample | eval alert=IF(errorSample>=5,"ALERT","OKAY")

sahil237888 · ‎08-16-2018

After 5 , it is not restting the counter.
The counter should be 0 after 5.

sahil237888 · ‎08-17-2018

_Time Count Counter
17-08-18 8:09 100 0
17-08-18 8:10 500 0
17-08-18 8:11 81 0
17-08-18 8:12 20 0
17-08-18 8:13 56 0
17-08-18 8:14 0 1
17-08-18 8:15 0 2
17-08-18 8:16 0 3
17-08-18 8:17 0 4
17-08-18 8:18 0 5
17-08-18 8:19 789 0
17-08-18 8:20 5 0
17-08-18 8:21 0 1
17-08-18 8:22 0 2
17-08-18 8:23 0 3
17-08-18 8:24 86 0

Here basically the query should check within 10 minutes timeframe.
and If there is continuously 0 in continuous 5 minutes, It should increase counter value to +1 with every occurrence of 0 continuously. The counter will be reset to 0 if there is no 0 in count column.

and should send alert that there is continuous 0 in continuous 5 minutes (it should also show the result at the time the count was 0.

How to get an alert only when the count is continuously 0 for consecutive 5 minutes?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025

Are you a member of the Splunk Community?

How to get an alert only when the count is continuously 0 for consecutive 5 minutes?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025