Alerting

Setting duration in search and save as an alert

pdreef
Explorer

We are trying to set an alert for a sub_A to trigger if no data is sent  in 1 hour duration.  The previous splunk expert wrote the search below, and i was under the impression to change the "+24h@h" to "1h@h" and "86400",  to 3600 would change the parameter of the alert.

| where now()>relative_time(LastFileXfer, "+24h@h")
| eval DaysOld=round((now() - round(LastFileXfer, 0))/86400, 2)

 

Does this need to be changed when saving the alert in menu section of the alert?

-----Thank you-----

 

------Search------

index=dart_index source=OPS_NIPR_DART_DMZ_IncomingOutgoing status_message="OK" earliest=-48h@h subscription_name IN ("Sub_A")
| eval DeliveryComplete=strptime(delivery_complete, "%Y-%m-%d %H:%M:%S")
| stats values(src_host) as Source, values(dest_host) as Destination, values(login_name) as DataOwner, values(host_name) as DartNode, values(xfer_type) as XferMethod, min(DeliveryComplete) as EarliestFileXfer, max(DeliveryComplete) as LastFileXfer by subscription_name
| where now()>relative_time(LastFileXfer, "+24h@h")
| eval DaysOld=round((now() - round(LastFileXfer, 0))/86400, 2)
| eval EarliestFileXfer=strftime(EarliestFileXfer, "%Y-%m-%d %H:%M:%S")
| eval LastFileXfer=strftime(LastFileXfer, "%Y-%m-%d %H:%M:%S")
| table subscription_name Source Destination DataOwner DartNode XferMethod EarliestFileXfer LastFileXfer DaysOld

Labels (2)
0 Karma
1 Solution

Nisha18789
Builder

Great @pdreef , could youplease mark my response as solution.

View solution in original post

0 Karma

Nisha18789
Builder

hi @pdreef , looking at query and requirement, this should work by replacing 24h@h by 1h  in below line considering you want to check that there should be data every 1 hour duration irrespective of the mm value in hh:mm.

| where now()>relative_time(LastFileXfer, "+1h")

 

Hope this helps!

0 Karma

pdreef
Explorer

Yes, that worked. Thank you. I tired had and extra "h" and this is why it wasn't working.

0 Karma

Nisha18789
Builder

Great @pdreef , could youplease mark my response as solution.

0 Karma

pdreef
Explorer

Of course, thanks again for your help. 

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...