Alerting

How to make an alert wait for 5 minutes after it finds an event, and collect all the events in those 5 minutes

rohanmiskin
Explorer

I've setup an alert , where i'm saying send alert as soon as 1 record is found. But actually i want to wait for few more events to happen in the next 5 minutes. I want my alert to wait for 5 minutes and collect all the events, and then send report. Is there a way to make my alert wait until it fetched all the events that'll happen in the next five minutes?

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rohanmiskin,

you could try something like this:

index=your_index [ search index=your_index "string_to_search" | head 1 | eval earliest=_time, latest=relative_time(_time,"+5m") | fields earliest latest ]
| ...

in this way, using the subsearch, you identify the timestamp of the event to search and you display all the events from that time stamp for the following 5 minutes.

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have your search scheduled for every minute collecting events from the past 5 minutes and only if the event you are looking for occurs in the first minute so you raise an alert and send the message.

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...