Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Real-time alert conditions

gtorrent
Explorer
‎03-31-2015 05:04 AM

I observed an surprising Splunk behaviour creating a real-time alert for the following query:

 index="thirdlane" sourcetype="asterisk_queue_log_*" 
| TRANSACTION callid maxspan=10m startswith(event=ENTERQUEUE)
| SEARCH (event=EXITEMPTY OR event=AGENTDUMP OR event=EXITWITHKEY OR event=EXITWITHTIMEOUT OR event=ABANDON) 
| REX "(?i)\|ENTERQUEUE\|.*?\|(?P<tlfnumber>.+)\|"
| TABLE _time tlfnumber queuename duration

When the alert condition is 'always', the received email contains an unexpected result (tlfnumber='' and duration=0).

Otherwise, when the alert condition is 'if number of events is greater than 0', the received email contains the expected result. But, when I edit the email action, Splunk displays the following message:

Unsupported Alert. 
A real-time alert with a time range of all-time and a condition other than always is not supported. 
It is recommended you change the time range of the alert to something other than Start Time 'rt' Finish Time 'rt' in Settings.

Is this the expected behaviour?
What is the explanation of this behaviour?

0 Karma
Reply

gtorrent
Explorer
‎03-31-2015 11:54 PM

Additional info: We are running splunk 6.1.2 (build 213098) on a linux machine.

0 Karma
Reply

gyslainlatsa
Motivator
‎03-31-2015 06:19 AM

hi gtorrent,
for the Real-time alert condition, do not specify the timerange. leave this field empty, The real-time alert specifies when the search runs.

try to following this link: http://docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Defineper-resultalerts

0 Karma
Reply

gtorrent
Explorer
‎03-31-2015 06:52 AM

I have not modified the time range values. The time range values are: 'rt'.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...