Help in creating search query for Alert

santosh_scb · ‎08-14-2020

Hi

I am currently working on an alert wherein it should trigger email when a search condition is met. Details are as below:

Whenever the log events contains the text "Timer Alert Expired", I should be able to trigger the alert and send an email.

Sample event as below:

Error log: “WARN [com.tracegroup.IMP_DIAG.transformer.MappingDefinitionGroups.TSaaSRequestResp.MappingDefinitions.CreateAlert] (G_M80T53|utx:681b7409:173e5a33ee9:-35a4|chnl:LN1_TransactionQueue-Events|id:184880844222000160000096002) 200813PN100144009 -- Timer Alert Expired”

While, I am able to extract the string and store it in a field (time_expire), I am unable to get a way to trigger an alert. Needed help in creating an alert with the above condition. I understand from alert function that it will be triggered when a particular condition is met but in this condition not sure on how to generate the alert.

Thanks

San

dave_null · ‎08-14-2020

Can you make a search that find the events? After that, you should be able to press on "Save As" on the upper-right and then click on "Alert."

You should then be able to specify various settings for the alert, such as trigger actions like email. Assuming your email settings are correct, of course.

santosh_scb · ‎08-15-2020

Thanks Dave that is working.

Help in creating search query for Alert

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

Are you a member of the Splunk Community?

Help in creating search query for Alert

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University