Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert when certain event occurs outside of time period of other event

tbrown
Path Finder
‎07-17-2020 01:14 PM

I have an event that logs the following 

 

 

.
.
startTime: 2020-07-17T17:48:46Z
endTime: 2020-07-17T17:52:27Z
.
.

 

 

I can pull out the following startTime and endTimes with regex. However, I also have a different event that comes in randomly. Call this the triggerEvent.

I basically want to alert whenever the triggerEvent comes in, provided it is not within the time period(between startTime and endTime) of the previous types of events I described. There may be multiple events over multiple days so I need to check that it doesn't occur during any of those time periods.

Any feedback is appreciated!

 

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎07-17-2020 06:03 PM 
index=trigger_event [ search index=start_end_event | rex your_regex | eval earliest=strptime(startTime."+0000","%FT%TZ%z"), latest=strptime(endTime."+0000","%FT%TZ%z")
| addinfo | eval timeargs="(earliest=".info_min_time." latest=".earliest.") OR (earlest=".latest." latest=".info_max_time.")"
| return $timeargs]

If there is the event, fire alert.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎07-17-2020 06:03 PM 
index=trigger_event [ search index=start_end_event | rex your_regex | eval earliest=strptime(startTime."+0000","%FT%TZ%z"), latest=strptime(endTime."+0000","%FT%TZ%z")
| addinfo | eval timeargs="(earliest=".info_min_time." latest=".earliest.") OR (earlest=".latest." latest=".info_max_time.")"
| return $timeargs]

If there is the event, fire alert.

 

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...