Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to trigger an alert when status field is true for more than 5 min no matter the amount of event

Cheng2Ready
Path Finder
‎08-15-2024 02:48 PM

I have search query, if the Status is field is true for more than 5 min, I need to trigger an alert  no matter the Event count result. if its within the timeframe then fire.
Mabey even have it search for every 1minute.


for example  this should not fire an Alert because it recovered within the 5 min

1:00 Status = Down   (event result count X5)
1:03 Status = up
1:07 Status = Down  (event count X3)
1:10 Status = up
1:13 Status = up
1:16 Status = up

for example  this should  fire an Alert 

1:00 Status = Down  (event result count X1)
1:03 Status = Down (event result count X1)
1:07 Status = Down (event result count X1)
1:10 Status = up
1:13 Status = up
1:16 Status = up

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-15-2024 04:06 PM

Your data does not match your description - the Status field appears to be either "up" or "Down" not "true" - because of this, it is not clear whether you want an alert if there has been a period of at least 5 minutes of Status being "Down" or Status being "up" anywhere within the time period of the search - please clarify your requirement

0 Karma
Reply

Cheng2Ready
Path Finder
‎08-15-2024 04:20 PM

@ITWhisperer This is what I imagine it should look like 
but im not sure if there is a way to add in a condition for Streamstats 
for this command?  or a workaround?
"reset_on_change= if (status="UP", 1, 0)  "

| bucket span=1m _time
| eval status_change=if(status="DOWN",1,0)
| streamstats sum(status_change) as down_count  reset_on_change= if (status="UP", 1, 0)
| eval is_alert=if(down_count >=5 AND status="DOWN",1,0)
| where is_alert=1

0 Karma
Reply

Cheng2Ready
Path Finder
‎08-15-2024 04:09 PM

@ITWhisperer want an alert if there has been a period for every1 minute of at least 5 minutes of Status being "Down" and if its interrupted with a status = Up then it resets the count and will not alert regarding the amount of event counts

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...