- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Scheduled alert to retrieve latest event indexed every five minutes
I have a search query which uses dedup to get the latest event from my source type.
Search:
sourcetype = MonitorLog | dedup Username | WHERE SecondsElapsed >= 300
Username, AllocatedDirectorySize,UsedDirectorySize,PercentageUsage,LatestFileCreationTime,TimeElapsed,SecondsElapsed
amiro,300,314,105%,5/17/2017 12:01:30 PM,"0 days, 0 hours, 7 minutes, 15 seconds",435.0344144
safcom,900,907,101%,5/17/2017 11:50:18 AM,"0 days, 0 hours, 5 minutes, 6 seconds",306.0829872
How do I set up a scheduled alert which will be running this search and trigger alert when event is returned.
I have used the below but its not working.
Earliest: +0m@m
Latest: +5m@m
Cron expression: */5 * * * *
Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/00445/0044512cba718faefd7c7990d15bc41e64713887" alt="DalJeanis DalJeanis"
Your query gets the latest event for each Username, only if SecondsElapsed > 300. Looks okay.
Your cron setup, however, is looking for every event from the start of this minute to the start of five minutes from now. You are looking for future events.
Try this -
Earliest: -5m@m
Latest: -0m@m
Cron expression: /5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/00445/0044512cba718faefd7c7990d15bc41e64713887" alt="DalJeanis DalJeanis"
Also, it would be worth leaving a couple of minutes in there for indexing to occur.
Earliest: -7m@m
Latest: -2m@m
Cron expression: 2/5 * * * *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/6b305/6b30587f4930d3fb5a3b702327abd87164ea90b6" alt="somesoni2 somesoni2"
The full cron will be 2/5 * * * *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/00445/0044512cba718faefd7c7990d15bc41e64713887" alt="DalJeanis DalJeanis"
Yeah, I got lazy...
I hate having to look up whether a particular implementation is five or six slots...
Darn Oracle with their seconds-level precision...even though things seldom run in a second...
data:image/s3,"s3://crabby-images/1a552/1a552ff33d37f94e7c5bc13132edaa973c529815" alt=""