Alerting

How to set up alerts for high response time?

pashernx
Explorer

Current Alert Setup:
I am trying to set up an alert to send an email when the response time from the server is higher (>60ms). I have the webpage running on 4 hosts.

Search string:

index=iserver env=prod sourcetype="iis-access"  uri_path="index.html" code=200 | where time_taken > 60

Alert Type: Real-time.
Trigger Condition: Number of Results is > 1 in 5 minutes. Edit
When triggered, execute actions: For each result.

I have a throttle setup for the field 'host' for 2 minutes. I do not want the same host to be reported for next 2 minutes at least.

Problem: The alert triggers perfectly and shoots an email only once for each result after setup and for the rest of the day, I do not get any email alerts. But the search returns results when I open it in search in real-time.

Can someone help me identify where am I getting it wrong?

Thanks,

1 Solution

stephane_cyrill
Builder

Check the EXPIRATION time of your alert.It may have been expired.

View solution in original post

stephane_cyrill
Builder

Check the EXPIRATION time of your alert.It may have been expired.

jawaharas
Motivator

I hope you are referring editing below parameter in $SPLUNK_BASE/etc/system/local/savedsearches.conf file.

alert.expires = <new_value>
# it was 24h in the defaults
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...