i want to trigger an alert on splunk where if i dont have any data coming in within 5 minutes splunk sends out an alert.
I am using time as -5m@m and @m
Not sure which part you need help with....
Create your search WithOut a start and stop time.
Save the search.
Go to Manager>Searches and Reports>
In the Time Range
Start -5m@s Finish Time now
Find the search you saved, open it, and select Schedule this Search
For Schedule Type, select cron, and enter */5 * * * *
For Alert Condition select If Number Of Events, and the condition Is Less Than 1
For Alert Actions select Send Email Enable. Enter a subject and your email address.
View solution in original post