Alerting
Highlighted

How to trigger this type of a alert?

Path Finder

Hi,

I have these events from where I calculate response time for the particular ping. The events are generated randomly and not at any particular time. So, I want to create an alert in such a way that if the response time is greater than 10 sec for more than 30 mins, it should trigger an alert. How do I go about it?

Tags (1)
0 Karma
Highlighted

Re: How to trigger this type of a alert?

SplunkTrust
SplunkTrust

can you provide the search to calculate response time?
you can use timechart command to segregate the response time.

<base search with response time and time>| timechart span=30m sum(response_time) as response_time | where response_time>10

Assuming that response time is in seconds already otherwise you would need to convert to seconds intially.

Let me know if this helps!

0 Karma
Highlighted

Re: How to trigger this type of a alert?

Path Finder

The response time is already in seconds. Could you please explain the timechart span=30m that you used?

0 Karma
Highlighted

Re: How to trigger this type of a alert?

SplunkTrust
SplunkTrust

I think this doc would explain it better:
http://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Timechart

timechart will make a bin of span of 30 minutes and in that 30 minutes, it will check for the response time greater than 10 specified in the where clause.

0 Karma
Highlighted

Re: How to trigger this type of a alert?

Path Finder

Mayur - I don't think you understood my question. I have to trigger an alert iff the response time is greater than 10 sec even after 30 mins, i.e. for first 30 mins, no alert. 30 mins 1 sec(if still the response time is >10s), the alert has to be triggered.

0 Karma