Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Two time period search with summary index or kvstore

koshyk
Super Champion
‎09-05-2019 03:50 PM

We have a rare query from a team and situation is
- The team needs to immediately get an alert (within 5 minutes)
- The team don't want to miss an alert (even if there is a network delay or indexing delay or some issues)
- Also the alert cannot be duplicated if it is already alerted
- Alerting is done on the event-time (and not indextime)

So an event comes in real-time, then there is no problem.
But if there are network issues, and assume the event got delayed by 6 minutes they need a sweep up of such delayed alert, so it will be still alerted, but NOT shown duplicate

I thought of an option to
- have two searches (SavedSearch1 => one which runs every 5mins, searching for previous 5 mins) & (SavedSearch2=> which runs every 5 mins but sweeps events in last 60mins).
- Summary index the SavedSearch1 and SavedSearch2 should compare if it is already there in the summary index using same time

So my query is
Have you guys done this similar situation? Is there any other better option?

0 Karma
Reply

adonio
Ultra Champion
‎09-05-2019 06:32 PM

hmmm
and why the following wont work?
_index_earliest=-4m@m _index_latest=-1m@m .... all your query ... | stats <whatever> by _time _indextime ... | where or eval if needed ...
then run the alert every 3 minutes and add your relevant condition in the alert dialog boxes.
you are not supposed to miss a thing
oh, dont forget to mark the search / alert as highest priority

hope it helps

Reply

koshyk
Super Champion
‎09-06-2019 02:32 AM

that's a fair point. Let me test this out practically and see if anything get's missed (or any scenario's will get missed)

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...