Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Realtime Threshold Alerts

pepper_seattle
Path Finder
‎07-10-2014 03:11 PM

I have a realtime view that updates every 120s with the overall revenue picture of the last 2 hours, query looks like this:

index=### sourcetype=### | eval amt=round(amt/100,2) | timechart sum(amt) span=120s

What I need is an alert for when this sum drops below a certain value, let's say 500. The biggest problem I'm having is that I can get this information to show up, but I can't figure out how to keep Splunk from also trying to count the current 120s as below this value. Essentially what will happen is that I'll set this to column view and the most recent column will update live as the 120s value is being gathered. If I set this as an alert I'm afraid I'll just get spammed with emails given that it counts the now information before the 120s has passed. Anyone know how to get Splunk to essentially ignore the information that is being actively gathered over the 120s?

Tags (3)
0 Karma
Reply

musskopf
Builder
‎07-10-2014 10:26 PM

If I understood right, you'll need to restrict your real time search to something like that:

index=xxxx earliest=rt-240s latest=rt-120s | eval amt=round(amt/100,2) | stats sum(amt)

and you can alert if that sum(amt) is below the expected. In other words, you'll ignore the latest 2 minutes 🙂

0 Karma
Reply

musskopf
Builder
‎07-10-2014 10:29 PM

Btw, if you want to look at the last 2 minutes, just do like that:
index=xxxx earliest=rt-120s latest=now | eval amt=round(amt/100,2) | stats sum(amt)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...