Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set an alert that is triggered at different times

MeMilo09
Path Finder
‎11-10-2021 03:49 PM

Hi All,

Need guidance on how to approach this. I need help with creating an alert that triggers during different times, for instance:

Alert will trigger if:

If Y-email was sent over 1 day ago

If Z-email  was sent over 2 days ago 

if M-email was sent over 3 days ago 

All these triggers will be a part of 1 email... can this be done with cron schedule alone or will the time need to be hard coded in the code itself? Or will I need separate alerts? 

Labels (4)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-10-2021 05:10 PM

Cron schedules tell the alert when to run, but can't control when/if it triggers.  Add logic to the alert query that tests for the trigger criteria and produces results when a criterium is met.  The alert should be set to trigger when more than zero results are returned.

The test logic should look something like this:

<extract the Y-email send date>
<extract the Z-email send date>
<extract the M-email send date>
| where (YmailSendDate>=relative_time(now(),"-1d") OR
         ZmailSendDate>=relative_time(now(),"-2d") OR
         MmailSendDate>=relative_time(now(),"-3d") )
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-10-2021 05:10 PM

Cron schedules tell the alert when to run, but can't control when/if it triggers.  Add logic to the alert query that tests for the trigger criteria and produces results when a criterium is met.  The alert should be set to trigger when more than zero results are returned.

The test logic should look something like this:

<extract the Y-email send date>
<extract the Z-email send date>
<extract the M-email send date>
| where (YmailSendDate>=relative_time(now(),"-1d") OR
         ZmailSendDate>=relative_time(now(),"-2d") OR
         MmailSendDate>=relative_time(now(),"-3d") )
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...