Hi Everyone,
I have one search query as below:
index=abc ns=hjk (nodeUrl ="*") Trace_Id=* "*" | stats count by Trace_Id Span_Id ns app_name Log_Time caller nodeUrl nodeHttpStatus nodeResponseTime |rename caller as "Caller"|rename nodeUrl as "Node" |rename nodeHttpStatus as "NodeHttpStatus"|rename nodeResponseTime as "NodeResponseTime"| fields - count|replace "https://tyu/datagraphaccountnode/graphql" with "Account"|replace "https:/fgh/datagraphassetnode/graphql" with "Asset|where NodeResponseTime >5000
I want to trigger this hourly.
How can I do this.
as @richgalloway and me said this isn't a correct cron definition, you have to define at what minute of the hour you want to run the alert (e.g. at 30) and then put this number in the first position of the cron:
30 * * * *
This is the same thing that to use the hourly definition in the alert creation panel.
Your definition is correct (and usually used) to schedule an alert e.g. every 15 minutes:
*/15 * * * *
Ciao.
Giuseppe
Alerts trigger when their trigger criterium (>0 results, for example) is met. How often that happens depends entirely upon the data the alert searches.
Alerts can be made to *run* every hour very easily. Go to Settings->Searches, reports, and alerts. Locate the alert in question, click the Edit link then select "Edit alert". Set the Alert type to Scheduled then select "Run every hour" from the next dropdown menu. Click Save and you're done.
Hi @aditsss,
does your search work?
it seems to me to be not correct because the if your want to trigger the alert when
NodeResponseTime >5000 and NodeResponseTime isn't an aggregated value you don't ned to put the condition at the end of the search, you could run something more efficient because the first rule to optimize searches is to put conditions as left as possible:
index=abc ns=hjk (nodeUrl ="*") Trace_Id=* "*" nodeResponseTime>5000
| replace "https://tyu/datagraphaccountnode/graphql" with "Account"
| replace "https:/fgh/datagraphassetnode/graphql" with "Asset
| stats count by Trace_Id Span_Id ns app_name Log_Time caller nodeUrl nodeHttpStatus nodeResponseTime
| rename caller AS "Caller" nodeUrl AS "Node" nodeHttpStatus AS "NodeHttpStatus" nodeResponseTime AS "NodeResponseTime"
| fields - count
Then the replace command works on row data that you haven't more after stats command.
Then you can put more renames in the same command.
At least you have to save your search as an alert and schedule it hourly and triggered when results are >0.
Ciao.
Giuseppe
Thanks for the suggestion.
If I want to trigger it hourly.
Then do I need to take Time Range as last 60 minutes and cron Expression as */60 * * * *
or do I need to take it as RunEveryHour and 30 minutes past the hour.
I want to schedule trigger hourly.
Hi @aditsss,
in the alert definitions form you have also the choice to schedule the alert hourly, without using cron expression: You have only to define at what minute of each hour you want the search execution.
About Time Range it's usually setted as the frequency but it isn't a rule because there could be different requirements.
Ciao.
Giuseppe
Hi @aditsss,
as @richgalloway said this isn't a correct cron definition, you have to defineat what minute of the hour you want to run the alert (e.g. at 30) and then put this number in the first position of the cron:
30 * * * *
This is the same thing that to use the hourly definition in the alert creation panel.
Your definition is correct (and usually used) to schedule an alert e.g. every 15 minutes:
*/15 * * * *
Ciao.
Giuseppe
Then If I want to trigger alert for every one hour .
I can use last 60 minutes as my search time and then then schedule like this */60 **** for past 0 minutes or 30 minutes.
Am I correct.
as @richgalloway and me said this isn't a correct cron definition, you have to define at what minute of the hour you want to run the alert (e.g. at 30) and then put this number in the first position of the cron:
30 * * * *
This is the same thing that to use the hourly definition in the alert creation panel.
Your definition is correct (and usually used) to schedule an alert e.g. every 15 minutes:
*/15 * * * *
Ciao.
Giuseppe
That's not a valid cron string. See crontab.guru for a great web site for building and checking cron strings.
I tell my customers to pick a minute other than 0,15,30, or 45 for their hourly searches and put that number in the cron. For example: 7 * * * *