Security

Splunk Alert on specific phrase

babcolee
Path Finder

I have an alert set up to run every hour to look for any latency of :45 minutes. If over that send a "Please Investigate" message

Index=...  | stats count max(_time) as lastTime by host
| eval now=now()
| eval timedelta=round((now-lastTime)/60/60,2)
| eval timedelta=if(timedelta > .75,"Please Investigate", timedelta)
| convert ctime(lastTime) ctime(now)
| sort - timedelta

The problem is that I get this alert email even when the latency is 0.00. What I really need is for the alert to trigger and run when it sees the phrase "Please Investigate" . I have been unsuccessful in setting this up in the Splunk Alert GUI as a trigger.

 

Labels (1)
Tags (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Why not leave it in minutes?

Index=...  | stats count max(_time) as lastTime by host
| eval now=now()
| eval timedelta=(now-lastTime)/60
| eval timedelta=if(timedelta > 45,"Please Investigate", timedelta)
| convert ctime(lastTime) ctime(now)
| where timedelta="Please Investigate"

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Why not leave it in minutes?

Index=...  | stats count max(_time) as lastTime by host
| eval now=now()
| eval timedelta=(now-lastTime)/60
| eval timedelta=if(timedelta > 45,"Please Investigate", timedelta)
| convert ctime(lastTime) ctime(now)
| where timedelta="Please Investigate"

babcolee
Path Finder

Will what you show only trigger when the phrase "Please Investigate" appears in the alert? I don't want to see the alert if there is 0.00 latency

0 Karma

johnhuang
Motivator

You have to make sure that:

  • the alert is configured to trigger only when the number of results is greater than 0.
  • your search query is actually filtering out results that you don't want alerted on. Per @ITWhisperer 
    • | where timedelta="Please Investigate"

 

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...