Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a custom alert based on past data?

kdineshreddy009
New Member
‎04-17-2023 04:52 AM

can we setup an alert based on data from current time stamp & based on information on past 15mins ?

say at T1, got a log event "a=2"

say at T2, got a log event "a=3"

i would like to check if at T2, if we have a T1 in past 15mins of T2 ?

0 Karma
Reply

woodcock
Esteemed Legend
‎04-17-2023 06:35 PM

| makeresults
| eval a="2"
| eval _time = _time - 500
| append [| makeresults | eval a="3"]
| eval host="foo"
| rename COMMENT AS "You might need a '| reverse' here"
| streamstats count(eval(a=="3")) AS sessionID BY host
| stats count min(_time) AS _time dc(a) AS a_count range(_time) AS duration BY host
| where (a_count=="1" AND (now() - _time) > (15 * 60)) OR (a_count=="2" AND duration > (15 * 60))

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-17-2023 05:50 AM

An alert is based on an output of a search. A search, unless it's a realtime search (which you shouldn't use anyway ;-)), is based on past data.

So the general answer is - yes, you can alert based on past data.

Question is how to build a search which will return proper results from your data. It will depend on your needs and your data.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-17-2023 05:42 AM

Set the time frame for the search to the past 15 minutes and see if but events are returned.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...