- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nilanjankc
New Member
06-21-2019
08:01 AM
New to Splunk, can anyone please help me with the below scenario?
I am receiving events like below:
Event LastUpdateTime
Event1 21/06/2019 10.05AM
Event2 21/06/2019 10.08AM
I have to create an alert for all those events if my current time(system time) and the LastUpdateTime difference is more than 30 minutes, in this scenario what will be my search string.
It would be a great help if someone can assist me with this.
Nilanjan
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-21-2019
08:06 AM
It'll be something like this
your base search to select your data with fields "Event" "LastUpdateTime"
| where now()-strptime('LastUpdateTime',"%d/%m/%Y %H.%M%p") >1800
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
06-23-2019
05:26 PM
Like this:
index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo
| eval ago = now() - LastUpdateTime
| where ago >= (30 * 60)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-21-2019
08:06 AM
It'll be something like this
your base search to select your data with fields "Event" "LastUpdateTime"
| where now()-strptime('LastUpdateTime',"%d/%m/%Y %H.%M%p") >1800
