How to make an alert wait for 5 minutes after it f...

rohanmiskin · ‎11-10-2021

I've setup an alert , where i'm saying send alert as soon as 1 record is found. But actually i want to wait for few more events to happen in the next 5 minutes. I want my alert to wait for 5 minutes and collect all the events, and then send report. Is there a way to make my alert wait until it fetched all the events that'll happen in the next five minutes?

gcusello · ‎11-10-2021

Hi @rohanmiskin,

you could try something like this:

index=your_index [ search index=your_index "string_to_search" | head 1 | eval earliest=_time, latest=relative_time(_time,"+5m") | fields earliest latest ]
| ...

in this way, using the subsearch, you identify the timestamp of the event to search and you display all the events from that time stamp for the following 5 minutes.

Ciao.

Giuseppe

ITWhisperer · ‎11-10-2021

Have your search scheduled for every minute collecting events from the past 5 minutes and only if the event you are looking for occurs in the first minute so you raise an alert and send the message.

How to make an alert wait for 5 minutes after it finds an event, and collect all the events in those 5 minutes

alert condition

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform