Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Real index time alert

cybrtitan
New Member
‎01-13-2020 02:30 PM

I understand how to create a real time alert that runs every hour or 5 minutes or whatever, but to my understanding that alert is based on the time stamp on the log we are alerting on. But I have machines that are potentially offline for periods meaning that is possible for that alert to be missed as those logs wouldn't be uploaded until it reconnects to spunk and it is possible for it to miss the alert window.

So would like to use the idea produced in answers 42646 

 | eval delay=_indextime-_time | bucket bins=30 delay

(i can't post links so that's the best i can do)

but i don't understand how to get that working for a alert when most of the time you program the run (kron) time in the GUI and not in the query its self.

0 Karma
Reply

acfecondo75
Path Finder
‎01-15-2020 06:28 AM

Similar to how you can set earliest and latest in a search query to specify time constraints, you can also specify _index_earliest and _index_latest to specify time constraints based on _indextime. You would still want to schedule the search to run on the same CRON as before.

index=* _index_earliest=-60m _index_latest=now

This search will look only at events that were indexed in the past 60 minutes. Then you set your CRON to 15 * * * * to have it run every hour, fifteen minutes after the hour (or whatever interval you want).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...