Solved: Alert when certain event occurs outside of time pe...

tbrown · ‎07-17-2020

I have an event that logs the following

.
.
startTime: 2020-07-17T17:48:46Z
endTime: 2020-07-17T17:52:27Z
.
.

I can pull out the following startTime and endTimes with regex. However, I also have a different event that comes in randomly. Call this the triggerEvent.

I basically want to alert whenever the triggerEvent comes in, provided it is not within the time period(between startTime and endTime) of the previous types of events I described. There may be multiple events over multiple days so I need to check that it doesn't occur during any of those time periods.

Any feedback is appreciated!

to4kawa · ‎07-17-2020

index=trigger_event [ search index=start_end_event | rex your_regex | eval earliest=strptime(startTime."+0000","%FT%TZ%z"), latest=strptime(endTime."+0000","%FT%TZ%z")
| addinfo | eval timeargs="(earliest=".info_min_time." latest=".earliest.") OR (earlest=".latest." latest=".info_max_time.")"
| return $timeargs]

If there is the event, fire alert.

View solution in original post

to4kawa · ‎07-17-2020

index=trigger_event [ search index=start_end_event | rex your_regex | eval earliest=strptime(startTime."+0000","%FT%TZ%z"), latest=strptime(endTime."+0000","%FT%TZ%z")
| addinfo | eval timeargs="(earliest=".info_min_time." latest=".earliest.") OR (earlest=".latest." latest=".info_max_time.")"
| return $timeargs]

If there is the event, fire alert.

Alert when certain event occurs outside of time period of other event

field extraction

regex

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?