Solved: Re: How to set up alerts for high response time?

pashernx · ‎04-28-2015

Current Alert Setup:
I am trying to set up an alert to send an email when the response time from the server is higher (>60ms). I have the webpage running on 4 hosts.

Search string:

index=iserver env=prod sourcetype="iis-access"  uri_path="index.html" code=200 | where time_taken > 60

Alert Type: Real-time.
Trigger Condition: Number of Results is > 1 in 5 minutes. Edit
When triggered, execute actions: For each result.

I have a throttle setup for the field 'host' for 2 minutes. I do not want the same host to be reported for next 2 minutes at least.

Problem: The alert triggers perfectly and shoots an email only once for each result after setup and for the rest of the day, I do not get any email alerts. But the search returns results when I open it in search in real-time.

Can someone help me identify where am I getting it wrong?

Thanks,

stephane_cyrill · ‎04-28-2015

Check the EXPIRATION time of your alert.It may have been expired.

View solution in original post

stephane_cyrill · ‎04-28-2015

Check the EXPIRATION time of your alert.It may have been expired.

jawaharas · ‎03-26-2019

I hope you are referring editing below parameter in $SPLUNK_BASE/etc/system/local/savedsearches.conf file.

alert.expires = <new_value>
# it was 24h in the defaults

How to set up alerts for high response time?

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!