All Apps and Add-ons

How to create a Splunk alert upon new database table entry?


I think I have been asking this question wrong. I have a need to generate an alert and send an e-mail if a new entry hits the database. I am finding this to be difficult for me as I am a novice to Splunk. I can tell you I have tried "earliest=-1h latest=now" but that only seems to go by the Splunk time stamp and that won't work for me, I need it to work with the "create_date" column in the DB. Or is there a better way of doing this?


Actually, I fixed this by changing the time stamp column in the DB input instead of using Splunks default time stamp. Fixed me right up! Thanks though!

0 Karma



You can filter your search to all records with a 'create_date' value within the last 5 minutes using:

<your_search_here> | WHERE strptime(create_date, <time_format here> > relative_time(now(), "-5m")

You can then save this as an alert and set it run every 5 minutes, setting the trigger action to send an email.