Other Usage
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to Trigger alert once per day?

josephjohn2211
Engager
‎09-20-2023 11:16 AM

I have a table in Database that I need to check every 30 minutes,starting from 7.00 AM in the morning. The first alert i.e. at 7.00 AM should send the entire table without any checking any conditions. 

Next here I have a field from the table named ACTUAL_END_TIME. This column can have only any of the three values, first a timestamp in HH:MM:SS format, second a String In-Progress, and third is again a String NotYetStarted. I need to check this table every 30 mins, and only trigger the alert when all the rows of the column ACTUAL_END_TIME have only timestamp. NOTE: The alert should trigger only once per day. How do I setup this alert

Labels (3)
Tags (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-21-2023 12:03 AM

Hi @josephjohn2211,

I suppose that you have these information in an index and when you say "table" you're speaking of an index, if not, please correct me.

Anyway, if you already extracted fields (called timestamp, InProgress and NotYetStarted), you have to create a search checking the presence of values in the three fields to trigger when they are empty, something like this.

index=ACTUAL_END_TIME NOT (InProgress=* NotYetStarted=*)

If you have results the alert triggers.

The alert must start to trigger at 7.00 but at what hour it must stop? in my sample I use 18:00, so you can schedule the alert using this cron expression:

*/30 7-18 * * *

Please, if possible, avoid to use spaces, dots or special chars (as "-") in you field names, otherwise you have to use quotes for those fields.

If instead you didn't extract fields, you should share some sample (both of  rows with the three fields and without them) so I can help you.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...