Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Wait logic in Splunk query

ManjunathNargun
New Member
‎10-03-2023 07:33 AM

Hi All,

How can we implement the wait logic in a Splunk query.

We monitor the Service down traps primarily and create Splunk alerts.

We have requirement now, to wait for a time interval and check if the service UP trap received if yes then don't create alert else create an alert. How can we implement this in a single query? Any suggestion please.

Example: If ServiceDown trap received:

                Wait for 5 minutes.

                If Good trap received:

                                Return

                Else:

                                Create alarm.

 

Thanks!

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-03-2023 08:29 AM

Look at it another way.  Search the last 5 minutes.  If a ServiceDown trap was received without a matching Good trap then create an alarm.

index=foo (trap=ServiceDown OR trap=Good) earliest=-6m
| dedup ```add a field that contains device name```
| where trap=ServiceDown AND _time <= relative_time(now(), "-5m")

Trigger the alert if the search returns results.

---
If this reply helps you, Karma would be appreciated.
Reply

ManjunathNargun
New Member
‎10-25-2023 05:40 AM

@richgalloway Hi , Tried the below one.

we are getting error as below.

Error in where command: The operator at '::trapdown AND _time<=relative_time(now(),"-5m") is invalid.

Please help me.

Thanks!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-25-2023 12:08 PM

Have you tried something like this (assuming ServiceDown is a string)?

index=foo (trap=ServiceDown OR trap=Good) earliest=-6m
| dedup ```add a field that contains device name```
| where (trap="ServiceDown" AND _time <= relative_time(now(), "-5m"))

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...