Hey guys, I'm new to Splunk and I really need ur help!!!
What I wanna do is to find out the most recent event and see the gap between the time of the event and now. If the gap is greater than 10 minutes, the alert is triggered. So I had a search string like this:
index=palink | stats max(_time) as LatestTime | eval Gap=(time()-LatestTime) | where Gap>600 | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(LatestTime) | eval dtime=strftime(Gap,"%M:%S") | table LatestTime dtime
It worked well in search so I saved it as alert with following setting:
Title: palink_alert Alert type: Scheduled Time Range: Run on Cron Schedule Earliest: @d+1h Latest: now Cron Expression: * /5 * * * * Trigger condition: Number of Results Trigger if number of results: is Greater than 0
When the gap is greater than 10 minutes, I can see the results if I click Open in Search. However, in the alert page it says "There are no fired events for this alert." How do I fix this problem?
It shows alerts when I make Alert Type=Real Time. But it shows nothing on search and alerts even it should not be triggered. I set as following:
Title: pa_test Alert type: Real Time Trigger condition: Per-Result
So I tried to set as:
Title: pa_test Alert type: Real Time Trigger condition: Number of Results Number of results is: Greater than 0 in: 1 minute(s)
And then it says "In handler 'savedsearch': windowed real-time per result alerts require field based alert throttling to be enabled." What should I do now?
Your Cron expression seems to have an extra space between the star and the slash:
* /5 * * * *
There should be no space there:
*/5 * * * *
This is assuming you want to run the search every five minutes and that the extra space isn't a copy-paste error.