Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Alert on specific phrase

babcolee
Path Finder
‎12-02-2021 12:10 PM

I have an alert set up to run every hour to look for any latency of :45 minutes. If over that send a "Please Investigate" message

Index=...  | stats count max(_time) as lastTime by host
| eval now=now()
| eval timedelta=round((now-lastTime)/60/60,2)
| eval timedelta=if(timedelta > .75,"Please Investigate", timedelta)
| convert ctime(lastTime) ctime(now)
| sort - timedelta

The problem is that I get this alert email even when the latency is 0.00. What I really need is for the alert to trigger and run when it sees the phrase "Please Investigate" . I have been unsuccessful in setting this up in the Splunk Alert GUI as a trigger.

 

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2021 12:23 PM

Why not leave it in minutes?

Index=...  | stats count max(_time) as lastTime by host
| eval now=now()
| eval timedelta=(now-lastTime)/60
| eval timedelta=if(timedelta > 45,"Please Investigate", timedelta)
| convert ctime(lastTime) ctime(now)
| where timedelta="Please Investigate"

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2021 12:23 PM

Why not leave it in minutes?

Index=...  | stats count max(_time) as lastTime by host
| eval now=now()
| eval timedelta=(now-lastTime)/60
| eval timedelta=if(timedelta > 45,"Please Investigate", timedelta)
| convert ctime(lastTime) ctime(now)
| where timedelta="Please Investigate"
Reply
Solved! Jump to solution

babcolee
Path Finder
‎12-02-2021 12:34 PM

Will what you show only trigger when the phrase "Please Investigate" appears in the alert? I don't want to see the alert if there is 0.00 latency

0 Karma
Reply
Solved! Jump to solution

johnhuang
Motivator
‎12-02-2021 01:21 PM

You have to make sure that:

  • the alert is configured to trigger only when the number of results is greater than 0.
  • your search query is actually filtering out results that you don't want alerted on. Per @ITWhisperer 
    • | where timedelta="Please Investigate"

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...