Solved: How to set up alerts for high response time?

pashernx · ‎04-28-2015

Current Alert Setup:
I am trying to set up an alert to send an email when the response time from the server is higher (>60ms). I have the webpage running on 4 hosts.

Search string:

index=iserver env=prod sourcetype="iis-access"  uri_path="index.html" code=200 | where time_taken > 60

Alert Type: Real-time.
Trigger Condition: Number of Results is > 1 in 5 minutes. Edit
When triggered, execute actions: For each result.

I have a throttle setup for the field 'host' for 2 minutes. I do not want the same host to be reported for next 2 minutes at least.

Problem: The alert triggers perfectly and shoots an email only once for each result after setup and for the rest of the day, I do not get any email alerts. But the search returns results when I open it in search in real-time.

Can someone help me identify where am I getting it wrong?

Thanks,

stephane_cyrill · ‎04-28-2015

Check the EXPIRATION time of your alert.It may have been expired.

View solution in original post

stephane_cyrill · ‎04-28-2015

Check the EXPIRATION time of your alert.It may have been expired.

jawaharas · ‎03-26-2019

I hope you are referring editing below parameter in $SPLUNK_BASE/etc/system/local/savedsearches.conf file.

alert.expires = <new_value>
# it was 24h in the defaults

How to set up alerts for high response time?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation