Solved: How to create Splunk Alert based on custom conditi...

nilanjankc · ‎06-21-2019

New to Splunk, can anyone please help me with the below scenario?

I am receiving events like below:

Event    LastUpdateTime
Event1  21/06/2019 10.05AM
Event2  21/06/2019 10.08AM

I have to create an alert for all those events if my current time(system time) and the LastUpdateTime difference is more than 30 minutes, in this scenario what will be my search string.
It would be a great help if someone can assist me with this.

Nilanjan

somesoni2 · ‎06-21-2019

It'll be something like this

your base search to select your data with fields "Event" "LastUpdateTime"
| where now()-strptime('LastUpdateTime',"%d/%m/%Y %H.%M%p") >1800

View solution in original post

woodcock · ‎06-23-2019

Like this:

index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo
| eval ago = now() - LastUpdateTime
| where ago >= (30 * 60)

somesoni2 · ‎06-21-2019

It'll be something like this

your base search to select your data with fields "Event" "LastUpdateTime"
| where now()-strptime('LastUpdateTime',"%d/%m/%Y %H.%M%p") >1800

How to create Splunk Alert based on custom condition?

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...