Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set cron expresion and time range of alert correctly if event delay in index time

bestSplunker
Contributor
‎02-26-2020 08:03 PM

hello everyone:

I have create db connect inputs, It reads record from the database every five minutes to the Splunk index.
but I found that there was a 30 minute difference between index time and event time. as follows:

index = test
|eval indextime=strftime(_indextime,"%Y/%m/%d %H:%M:%S")
|eval age=(_indextime - _time)/60
|table indextime _time age

--------------------------------------------------------------------------------------------------

indextime                                       _time                                            age
2020/02/27  11:40:00                       2020/02/27 11:11:14                                 28.76667
2020/02/27 10: 30:00                       2020/02/27 09: 59:36                                30.40000
2020/02/27 10:25: 00                       2020/02/27 09: 56: 48                               28.20000

now, I want to create an alert to query important events , I hope this alert to run every 10 minutes, so how to set the time range in alert setting correctly, prevent missing important events or repeating alert?

time range:  ???? How to set up correctly

cron expresion :  */10 * * * *
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎02-27-2020 01:58 AM

you can use the index time as your search filter:
_index_earliest=-11m@m _index_latest=-1m@m (for example) and you will never miss a bit as long as search doesn't skip
read more here
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/SearchTimeModifiers

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎02-27-2020 01:58 AM

you can use the index time as your search filter:
_index_earliest=-11m@m _index_latest=-1m@m (for example) and you will never miss a bit as long as search doesn't skip
read more here
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/SearchTimeModifiers

0 Karma
Reply
Solved! Jump to solution

bestSplunker
Contributor
‎03-15-2020 10:57 PM

thank you very much, so if i use index time, I can ignore time range of the alert settting, because index time in search effect takes precedence over time range?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...