Solved: Splunk Alert on specific phrase

babcolee · ‎12-02-2021

I have an alert set up to run every hour to look for any latency of :45 minutes. If over that send a "Please Investigate" message

The problem is that I get this alert email even when the latency is 0.00. What I really need is for the alert to trigger and run when it sees the phrase "Please Investigate" . I have been unsuccessful in setting this up in the Splunk Alert GUI as a trigger.

ITWhisperer · ‎12-02-2021

Why not leave it in minutes?

Index=...  | stats count max(_time) as lastTime by host
| eval now=now()
| eval timedelta=(now-lastTime)/60
| eval timedelta=if(timedelta > 45,"Please Investigate", timedelta)
| convert ctime(lastTime) ctime(now)
| where timedelta="Please Investigate"

View solution in original post

ITWhisperer · ‎12-02-2021

Why not leave it in minutes?

Index=...  | stats count max(_time) as lastTime by host
| eval now=now()
| eval timedelta=(now-lastTime)/60
| eval timedelta=if(timedelta > 45,"Please Investigate", timedelta)
| convert ctime(lastTime) ctime(now)
| where timedelta="Please Investigate"

babcolee · ‎12-02-2021

Will what you show only trigger when the phrase "Please Investigate" appears in the alert? I don't want to see the alert if there is 0.00 latency

johnhuang · ‎12-02-2021

You have to make sure that:

the alert is configured to trigger only when the number of results is greater than 0.
your search query is actually filtering out results that you don't want alerted on. Per @ITWhisperer
- ```
| where timedelta="Please Investigate"
```

Splunk Alert on specific phrase

other

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor