Re: Splunk query/condition to check and trigger Al...

Ashwini008 · ‎09-14-2022

Hi ,

My Job completes at 4AM,I need to set up a alert to monitor the job status 2 hours before the job completion time i.e. at 2 AM i should start checking the Job Status if it completed or not,So starting from 2AM i should monitor and trigger the alert till the job is completed.

I am using below query but it doesn't make sense and doesn't satisfies my above condition.

| makeresults
| eval CurrentTime="05:00:00"
| eval CurrentTimepoch=strptime(CurrentTime,"%H:%M:%S")
| eval SLATIME="04:00:00"
| eval SLATIMEepoch=strptime(SLATIME,"%H:%M:%S")
| eval Diff=(SLATIMEepoch-CurrentTimepoch)
| eval Duration=if(Diff<0, "-", "") + tostring(abs(Diff), "duration")
| eval check1=case(Duration>="02:00:00" AND STATUS!=C,"Trigger",1=1,"Dont")

Please help me how to capture specific time i.e. 2 AM and start checking the job status in the query?

JacekF · ‎09-14-2022

You have provided a very little information on your environment, but If I understand your problem correctly, the following should allow you to determine if current time is later than the checking trigger time (2AM)

| makeresults
| eval triggerTime = relative_time(now(), "@d") + (2*3600)
| eval check = if(now() > triggerTime, "Trigger", "Don't")

The relative_time function is used to round epoch time down to the beginning of the day and then the number of seconds 2 hours have (2*3600) is added.

Splunk query/condition to check and trigger Alert 2 hours before the Job Completion time?

event type

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

Video | Tom’s Smartness Journey Continues

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?