Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set up a scheduled search every 5 minutes and trigger an alert if a stats average on response time is greater than 30 seconds?

ScottFree
Engager
‎02-04-2015 08:41 AM

New to Splunk.

Trying to watch an application for abnormal response time behavior and I can't get the alert to trigger. I am obviously doing something wrong here.

Here's the search string I'm using:

host=MyHost*   GET campaignID="*" clientID="*" memberID="*"| bucket _time span=1m | stats avg(time_taken) as avg by _time | where avg > 30

I open it in search and the search (all time) returns chunks of 5 minute results back to the software initial release. (returned 9k matches on 4M events).

I had the alert scheduled on cron */5 * * * * and I have tried both

number of results
greater than 0

and with

Trigger Condition Custom
where avg(time_taken) > 30

Neither of them worked to actually generate email (email path is definitely working), or show up in the Triggered Alerts list.

So my actual question's are 2:

1. Is this the right way to get the result I want, which is basically to check every 5 minutes to see if the average GET response is higher than 30 seconds.

2. Once I (we) figure out how to trigger the alert, is it going to blast me with results from all time, or just the last 5 minutes?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎02-04-2015 10:02 AM

Based on your search it looks like you want to know if the average response time is greater than 30 seconds for any 1 minute slice of time. Assuming that's correct, your search should work. If you lower the threshold (i.e. "where avg > 30" to something lower (whatever is typical in your environment), does it generate an e-mail?

Also, what time range are you using in your saved search? If it's all-time and you are running it every 5 minutes, that could be why it's not triggering. I would add in earliest=-5m latest=now to your search in addition to scheduling it to run every 5 minutes.

"Number of results greater than 0" should be a sufficient alert trigger.

As for blasting you with results, you can configure Splunk to throttle alerts. The alerting manual has pretty good documentation on this: http://docs.splunk.com/Documentation/Splunk/6.2.1/Alert/Aboutalerts

View solution in original post

Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎02-04-2015 10:02 AM

Based on your search it looks like you want to know if the average response time is greater than 30 seconds for any 1 minute slice of time. Assuming that's correct, your search should work. If you lower the threshold (i.e. "where avg > 30" to something lower (whatever is typical in your environment), does it generate an e-mail?

Also, what time range are you using in your saved search? If it's all-time and you are running it every 5 minutes, that could be why it's not triggering. I would add in earliest=-5m latest=now to your search in addition to scheduling it to run every 5 minutes.

"Number of results greater than 0" should be a sufficient alert trigger.

As for blasting you with results, you can configure Splunk to throttle alerts. The alerting manual has pretty good documentation on this: http://docs.splunk.com/Documentation/Splunk/6.2.1/Alert/Aboutalerts

Reply
Solved! Jump to solution

indut
Path Finder
‎10-19-2020 12:38 AM

Thank you for the git link reference to the app,  create_thehive_alert.It worked.

I tried using app, "TA_the hive_ce" but this did not help to send alerts from splunk to the hive.

 

0 Karma
Reply
Solved! Jump to solution

arunshah
New Member
‎05-10-2017 05:35 PM

I have a question on how to set a cron for an alert to have it trigger every 10 mins within a time.

For an example, if I want the alert to be triggered every 10 mins from 3 Am to 9 PM only. I tried this but it doesn't seems to be working as expected.

*/10 03-23 * * *
0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎02-04-2015 10:06 AM

Another thing you can try... Does this search generate any alerts? (This is just taking an average of the entire five minute window and returning a single value, rather than by minute, then searches for averages above 1 second)

host=MyHost* GET campaignID="*" clientID="*" memberID="*" earliest=-5m latest=now | stats avg(time_taken) as avg | search avg > 1
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...