Issue with Alerting- Why is it not working anymore...

praneethlekkala · ‎04-27-2023

Hi

I have an issue with alerting and its not working anymore, what am i doing wrong?

My Query:

index="content" source="catalina.out" "org.apache.catalina.startup.Catalina.start Server startup" NOT Caesium | rex field=_raw "(?ms)^(?P<boot_end>\\d+\\-\\w+\\-\\d+\\s+\\d+:\\d+)(?:[^ \\n]* ){7}(?P<boot_time>\\d+)" offset_field=_extracted_fields_bounds

| eval epoch_time = _time




| eval boot_sec = boot_time * 0.001
| eval boot_min = boot_sec/60
| eval sub_time = epoch_time - boot_sec
| eval human_epoch_time = strftime(epoch_time,"%y-%m-%d %H:%M:%S")
| eval human_sub_time = strftime(sub_time,"%y-%m-%d %H:%M:%S")
| table human_epoch_time boot_sec boot_min human_sub_time host

Output:

I am not getting the duration anymore

:Alert email that i am getting doesnt contain duration , initiated at :

application has been started on node host.

Start Up Initiated at .

Start Up Completed at 23-04-27 07:46:12 .

Start Up Duration is minutes .

human_epoch_time boot_sec boot_min human_sub_time host

23-04-27 07:46:12

host

somesoni2 · ‎04-27-2023

Does running the alert search manually fetches proper results? Start with this base search and slowly add portions of your search, one at a time, to troubleshoot in which steps extraction/calculations are failing

index="content" source="catalina.out" "org.apache.catalina.startup.Catalina.start Server startup" NOT Caesium
| table _time _raw host

Issue with Alerting- Why is it not working anymore?

alert action

alert condition

email

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation