- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rajs115,
you have two ways to do this:
- defini with the Time Picker the time period of one hour for your search and then save the search as an alert, in this way the time period is associated to your search;
- otherwise you can insert the following condition in your search:
sourcetype="logs" earliest=-1h latest=nowI hint to follow the Search Tutorial at https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial that explain hot to search in Splunk.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
one more thing that, i need to run this query for every 1 hour. If count is '0' for the last one hour of the search i need to send alert
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rajs115,
when you say "count=0" are you meaning that you haven't any result to your search or that you want to test e.g. a list of hosts and identyfy the ones with no events?
If the first, you have to create an alert with your search and set the condition "count=0" in the Alert conditions.
If instead, the second, you have to create a list of hosts to check in a lookup (called e.g. "perimeter.csv" containing at least one field ("host") and then run a search like this:
| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gcusello ,
Yes, its the solution as you mentioned. I am running a basic query to look for the events over the last 1 hour of time and when the count is '0' i have to send an alert. Below query i am running. Can you please check if its right? Also, how to mention time period in last 1 hour in my search query?
sourcetype="logs" | stats count | where count=0
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rajs115,
your search is larger than what you need, you could simply run:
sourcetype="logs"and put the condition results=0 in the alert.
Only one note: use always the condition index=your_index in your searches, because searchjes are quicker and otherwise you risk not using some indexes out of the default path.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rajs115,
you have two ways to do this:
- defini with the Time Picker the time period of one hour for your search and then save the search as an alert, in this way the time period is associated to your search;
- otherwise you can insert the following condition in your search:
sourcetype="logs" earliest=-1h latest=nowI hint to follow the Search Tutorial at https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial that explain hot to search in Splunk.
Ciao.
Giuseppe
