Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to make an alert wait for 5 minutes after it finds an event, and collect all the events in those 5 minutes

rohanmiskin
Explorer
‎11-10-2021 05:48 AM

I've setup an alert , where i'm saying send alert as soon as 1 record is found. But actually i want to wait for few more events to happen in the next 5 minutes. I want my alert to wait for 5 minutes and collect all the events, and then send report. Is there a way to make my alert wait until it fetched all the events that'll happen in the next five minutes?

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-10-2021 06:04 AM

Hi @rohanmiskin,

you could try something like this:

index=your_index [ search index=your_index "string_to_search" | head 1 | eval earliest=_time, latest=relative_time(_time,"+5m") | fields earliest latest ]
| ...

in this way, using the subsearch, you identify the timestamp of the event to search and you display all the events from that time stamp for the following 5 minutes.

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-10-2021 05:58 AM

Have your search scheduled for every minute collecting events from the past 5 minutes and only if the event you are looking for occurs in the first minute so you raise an alert and send the message.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...