Alerting

How to trigger an alert when status field is true for more than 5 min

Path Finder

Hi Splunkers,

I have events which update every 1 minute, if the Status is field is true for more than 5 min, i need to trigger an alert.

for example

1:00 Status = False
1:03 Status = True
1:07 Status = False
1:10 Status = True
1:13 Status = True
1:16 Status = True

Now i need to trigger an alsert as the Stauts is true from 1:10 to 1:16 which is more than 5 mintues.

If in between it came false, i dont need an alert.

Thanks in advance.

| stats latest(status) as statusLast latest(time) as time by place
| eval now=now() | eval downSince=now-
time | eval downMoreThan5Min=if(downSince>300,1,0)
| search status_Last =True AND downMoreThan5Min=1

0 Karma

SplunkTrust
SplunkTrust

try this search anywhere: (you can remove the | head 100 for larger result set)

 | gentimes start=-1 increment=1m
    | head 100
    | eval _time = starttime 
    | eval status = random()%2
    | eval status = if(status=1,"True","False")
    | table _time status
    | sort -_time
    | rename COMMENT as "above is sample data, below is your solution"
    | streamstats  time_window=5m count(eval(status="False")) as false_status_count
    | where false_status_count>=5

hope it helps

Champion

try this
| timechart span=5min values(Status)
| rename values(Status) as Status
| eval one=mvindex(Status,0),two=mvindex(Status,1),three=mvindex(Status,1),four=mvindex(Status,1),five=mvindex(Status,1)
| eval trigger=if(one ="True" AND two="True" AND three="True" AND four="True" AND five="True",1,0) |where trigger=1

Alert triggers if trigger=1
The timechart takes all 5 values of past 5 mins, the eval extracts all 5 values and the trigger checks that all (AND join) values are true

0 Karma

Path Finder

It didnt work for me as i will do the | timechart span=5min values(Status) by place, where i have many place and it gives the result of every 5 min status.

I need check whether the status is true within the 5 mins.

0 Karma

Champion

try this
NOTE use proper case for status and place , in my dummy data everything is in small case

| stats values(status) as status,values(_time) as time by place
| eventstats max(time) as maxtime
| eval diff=(maxtime-time)/60
| eval mark=if(diff <=6,1,0)
| where mark=1
| stats list(status) as statuses by mark
| mvexpand statuses
| eval flg=case(statuses="TRUE",1)
| eventstats sum(flg) as sumflg 
|  where sumflg>0

Alert triggers where result of above query is more than 0

0 Karma

Champion

hi @SathyaNarayanan
Can you please check and confirm on your issue? Please accept the answer if it significantly helped resolve your issue. Do not forget to add/modify the answer if you did some modifications and then accept the answer.

0 Karma