Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

subsearch condition which persists for x time

ericrobinson
Path Finder
‎11-29-2010 07:12 PM

Is there is a way to have a scheduled search run and only alert if a certain condition is met for a period of time?

We have a search that looks for a delay value that we are extracting with rex. We want to be alerted if this value is > 1 minute for a period of time. (e.g. if the value for this delay filed is greater > 1 minute for 10 minutes, send an alert)

Is this possible with the current monitoring and alerting capabilities? I only see number of events, hosts etc as a conditional alert.

Tags (1)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎11-29-2010 11:50 PM

There is a conditional alert, but I suppose you are looking for a value such that the condition is met over a period of time, i.e., you want to refer to a history of running the search on a schedule. The easiest way to do this is to just run a search over a longer period of time and count (e.g., ... | bucket _time span=1min | ... by _time | stats count) but this can be very inefficient. A better way is to use a pair of searches, one to update a lookup table containing the history over time, and the second to report/alert on the lookup table.

0 Karma
Reply
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...