Alerting

How to set an alert that is triggered at different times

MeMilo09
Path Finder

Hi All,

Need guidance on how to approach this. I need help with creating an alert that triggers during different times, for instance:

Alert will trigger if:

If Y-email was sent over 1 day ago

If Z-email  was sent over 2 days ago 

if M-email was sent over 3 days ago 

All these triggers will be a part of 1 email... can this be done with cron schedule alone or will the time need to be hard coded in the code itself? Or will I need separate alerts? 

Labels (4)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Cron schedules tell the alert when to run, but can't control when/if it triggers.  Add logic to the alert query that tests for the trigger criteria and produces results when a criterium is met.  The alert should be set to trigger when more than zero results are returned.

The test logic should look something like this:

<extract the Y-email send date>
<extract the Z-email send date>
<extract the M-email send date>
| where (YmailSendDate>=relative_time(now(),"-1d") OR
         ZmailSendDate>=relative_time(now(),"-2d") OR
         MmailSendDate>=relative_time(now(),"-3d") )
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Cron schedules tell the alert when to run, but can't control when/if it triggers.  Add logic to the alert query that tests for the trigger criteria and produces results when a criterium is met.  The alert should be set to trigger when more than zero results are returned.

The test logic should look something like this:

<extract the Y-email send date>
<extract the Z-email send date>
<extract the M-email send date>
| where (YmailSendDate>=relative_time(now(),"-1d") OR
         ZmailSendDate>=relative_time(now(),"-2d") OR
         MmailSendDate>=relative_time(now(),"-3d") )
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...