Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a custom alert based on past data?

kdineshreddy009
New Member
‎04-17-2023 04:52 AM

can we setup an alert based on data from current time stamp & based on information on past 15mins ?

say at T1, got a log event "a=2"

say at T2, got a log event "a=3"

i would like to check if at T2, if we have a T1 in past 15mins of T2 ?

0 Karma
Reply

woodcock
Esteemed Legend
‎04-17-2023 06:35 PM

| makeresults
| eval a="2"
| eval _time = _time - 500
| append [| makeresults | eval a="3"]
| eval host="foo"
| rename COMMENT AS "You might need a '| reverse' here"
| streamstats count(eval(a=="3")) AS sessionID BY host
| stats count min(_time) AS _time dc(a) AS a_count range(_time) AS duration BY host
| where (a_count=="1" AND (now() - _time) > (15 * 60)) OR (a_count=="2" AND duration > (15 * 60))

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-17-2023 05:50 AM

An alert is based on an output of a search. A search, unless it's a realtime search (which you shouldn't use anyway ;-)), is based on past data.

So the general answer is - yes, you can alert based on past data.

Question is how to build a search which will return proper results from your data. It will depend on your needs and your data.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-17-2023 05:42 AM

Set the time frame for the search to the past 15 minutes and see if but events are returned.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...