Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Wait logic in Splunk query

ManjunathNargun
New Member
‎10-03-2023 07:33 AM

Hi All,

How can we implement the wait logic in a Splunk query.

We monitor the Service down traps primarily and create Splunk alerts.

We have requirement now, to wait for a time interval and check if the service UP trap received if yes then don't create alert else create an alert. How can we implement this in a single query? Any suggestion please.

Example: If ServiceDown trap received:

                Wait for 5 minutes.

                If Good trap received:

                                Return

                Else:

                                Create alarm.

 

Thanks!

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-03-2023 08:29 AM

Look at it another way.  Search the last 5 minutes.  If a ServiceDown trap was received without a matching Good trap then create an alarm.

index=foo (trap=ServiceDown OR trap=Good) earliest=-6m
| dedup ```add a field that contains device name```
| where trap=ServiceDown AND _time <= relative_time(now(), "-5m")

Trigger the alert if the search returns results.

---
If this reply helps you, Karma would be appreciated.
Reply

ManjunathNargun
New Member
‎10-25-2023 05:40 AM

@richgalloway Hi , Tried the below one.

we are getting error as below.

Error in where command: The operator at '::trapdown AND _time<=relative_time(now(),"-5m") is invalid.

Please help me.

Thanks!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-25-2023 12:08 PM

Have you tried something like this (assuming ServiceDown is a string)?

index=foo (trap=ServiceDown OR trap=Good) earliest=-6m
| dedup ```add a field that contains device name```
| where (trap="ServiceDown" AND _time <= relative_time(now(), "-5m"))

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top