How to trigger this type of a alert?

tchintam · ‎05-15-2018

Hi,

I have these events from where I calculate response time for the particular ping. The events are generated randomly and not at any particular time. So, I want to create an alert in such a way that if the response time is greater than 10 sec for more than 30 mins, it should trigger an alert. How do I go about it?

mayurr98 · ‎05-15-2018

can you provide the search to calculate response time?
you can use timechart command to segregate the response time.

<base search with response time and time>| timechart span=30m sum(response_time) as response_time | where response_time>10

Assuming that response time is in seconds already otherwise you would need to convert to seconds intially.

Let me know if this helps!

tchintam · ‎05-15-2018

The response time is already in seconds. Could you please explain the timechart span=30m that you used?

mayurr98 · ‎05-15-2018

I think this doc would explain it better:
http://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Timechart

timechart will make a bin of span of 30 minutes and in that 30 minutes, it will check for the response time greater than 10 specified in the where clause.

tchintam · ‎05-15-2018

Mayur - I don't think you understood my question. I have to trigger an alert iff the response time is greater than 10 sec even after 30 mins, i.e. for first 30 mins, no alert. 30 mins 1 sec(if still the response time is >10s), the alert has to be triggered.

How to trigger this type of a alert?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?