Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does my alert run for an "All time" time range, when I have set it for "Relative - 2 hours ago"?

arunsubram
Explorer
‎12-22-2016 01:17 AM

Hi,
I have set up a Alert as such

index=rest because the offer is shutoff. partnerId="*" host="*-prd-rst*"  | stats  count by partnerId,offerId  | lookup  partneridlookup partnerId OUTPUT RetailerName |sort count DESC

In the timeframe, I have chosen "Relative - 2 hours Ago". The alert is set on a cron as 0 */2 * * * [to run every two hours].

For some reason, every time this Alert is triggered, timeframe run is for "All time". It does on run for the 2 hours window provided.
The issue seems to be only with this Alert. My other Alerts work fine. Any pointers would be helpful.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎12-22-2016 04:50 AM

Relative Timeframe for previous 2 hours should work as selected. However if you want to force the time window on your search you can add the same to your base search as well...

<Your Base Search> earliest=-2h latest=now | <Your remaining Search>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎12-22-2016 05:06 AM

The alert should be using the timeframe you set when you created the alert.

Navigate to the alerts section of the app you are working in, or go to Settings > Searches, Reports, Alerts and open your alert for editing.

Please share your settings here:

alt text

As you can see my alert triggers every 5 minutes and looks back 5 minutes.

Let's make sure you have vaild time selectors in the configuration of the alert.

- MattyMo
0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎12-22-2016 04:50 AM

Relative Timeframe for previous 2 hours should work as selected. However if you want to force the time window on your search you can add the same to your base search as well...

<Your Base Search> earliest=-2h latest=now | <Your remaining Search>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...