Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Set up splunk Alert - a complicated one

loveforsplunk
Explorer
‎05-20-2017 09:45 PM

Here is my log file having a key word "error":

My search is : index=abc host="123" "error" source="efg/*"

My search returns results as below (check out the timings ) , suppose below is the event section:

Time Event
5/20/17 1:00:45.000 AM Completed at Sat May 20 03:00:45 2017

Under the _time section , the time which is displayed is 2hrs less than the time that is displayed in the logs(as you can see from the event section).

Now , suppose there is a failure in my log which I came to know right now. I go to splunk and check I do not see any result for the last 15 minutes even but when I do last 2 hours , I get to see the result.

Please tell me how do i set this alert. if I am setting to check every 5 minutes, I do not get any alert . When I did -2h as start time and now as finish time , I still did not get any alert . Now I did it -2h@h which I am sure will work or not until there is a failure.

Also, I have selected Run every minute while setting the alert.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dineshraj9
Builder
‎05-20-2017 11:17 PM

You need to fix the timezone of your logs first. The 2hr difference is because of the logs being set to incorrect timezone.

https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Applytimezoneoffsetstotimestamps

I suggest you get the TZ attribute in props.conf for the sourcetype.
This will fix the timezone issue and logs will appear real time.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dineshraj9
Builder
‎05-20-2017 11:17 PM

You need to fix the timezone of your logs first. The 2hr difference is because of the logs being set to incorrect timezone.

https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Applytimezoneoffsetstotimestamps

I suggest you get the TZ attribute in props.conf for the sourcetype.
This will fix the timezone issue and logs will appear real time.

0 Karma
Reply
Solved! Jump to solution

loveforsplunk
Explorer
‎05-21-2017 08:10 AM

But for the same server , I have alert set up for other logs as well. For those I get the expected output . Only for this particular log I do not get, not sure why.

Do u mean , there is a way to set up timezone for particular logs ??

In my Splunk user settings , my timezone set is correct and the logs timezone in its server as I see is also the same as mine , then why do I get something else in _time ?

0 Karma
Reply
Solved! Jump to solution

dineshraj9
Builder
‎05-21-2017 10:07 PM

Yes, you can setup for timezone for each log in different ways.

In props.conf, you can set TZ attribute for the particular sourcetype.

In inputs.conf, you can set _tzhint field for the particular log monitor stanza.

0 Karma
Reply
Solved! Jump to solution

loveforsplunk
Explorer
‎05-22-2017 09:49 AM

oh ok. I will work on this. Thank you so much Dinesh.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎05-21-2017 05:14 PM

it has nothing to do with your users timezone,
check the link in the answer

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...