Alerting

How to trigger this type of a alert?

tchintam
Path Finder

Hi,

I have these events from where I calculate response time for the particular ping. The events are generated randomly and not at any particular time. So, I want to create an alert in such a way that if the response time is greater than 10 sec for more than 30 mins, it should trigger an alert. How do I go about it?

Tags (1)
0 Karma

mayurr98
Super Champion

can you provide the search to calculate response time?
you can use timechart command to segregate the response time.

<base search with response time and time>| timechart span=30m sum(response_time) as response_time | where response_time>10

Assuming that response time is in seconds already otherwise you would need to convert to seconds intially.

Let me know if this helps!

0 Karma

tchintam
Path Finder

The response time is already in seconds. Could you please explain the timechart span=30m that you used?

0 Karma

mayurr98
Super Champion

I think this doc would explain it better:
http://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Timechart

timechart will make a bin of span of 30 minutes and in that 30 minutes, it will check for the response time greater than 10 specified in the where clause.

0 Karma

tchintam
Path Finder

Mayur - I don't think you understood my question. I have to trigger an alert iff the response time is greater than 10 sec even after 30 mins, i.e. for first 30 mins, no alert. 30 mins 1 sec(if still the response time is >10s), the alert has to be triggered.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...