Re: Scheduling and Triggering An Alert if the keyw...

anandhalagarasa · ‎07-22-2019

Hi Team,

Usually the keyword "College Begins" would be repeated nearly 4 times in a minute in logs.

So i want to schedule an alert and email i.e. if the keyword " College Begins" is not there in the log for last 5 minutes. So my index=abc and host=def source=ijk

So i want the query to trigger an alert if the keyword College begins is not present in the logs.

Sample Logs:

woodcock · ‎07-27-2019

Try this:

index=<You should always specify an index> AND sourcetype=<And sourcetype too> "College begins"
| streamstats window=2 range(_time) pause_seconds
| eval pause_seconds=coalesce(pause_seconds, now() - _time)
| where pause_seconds > (5 * 60)

adonio · ‎07-22-2019

try this:
index=abc and host=def source=ijk ... "College Begins" | stats count every 5 minutes
alert if count = 0

note, to make sure you dont miss anything, might be better to do something like this:
earliest = -7m@m latest=-2m@m ... rest of your search

hope it helps

Scheduling and Triggering An Alert if the keyword is not in logs

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)