Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Time periods for query and alert
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there!
I'm running this query index="staging" |eval raw_len=len(_raw) | eval raw_len_gb = raw_len/1024/1024/1024 | stats sum(raw_len_gb) as GB by kubernetes_namespace | where GB > 0.5
When I'm running this query in "Search", I choose "For the last 24 hours".
I want to save this query as alert, and the alert will run let's say once a hour.
The question is - will it run this query like I run it in search (last 24 hours)? Or I need to specify it inside a query (last 24 hours)?
Thanks,
Aleksei
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Once you run the search for last 24 hours and save it as an alert. Then alert runs search for for last 24 hours. You don't need to specify earliest and latest in search query.
You can also check Time Range in Edit Alert page.
Alert configuration in savedsearches.conf are stored as below:
[alert_name]
search = <search_query>
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Once you run the search for last 24 hours and save it as an alert. Then alert runs search for for last 24 hours. You don't need to specify earliest and latest in search query.
You can also check Time Range in Edit Alert page.
Alert configuration in savedsearches.conf are stored as below:
[alert_name]
search = <search_query>
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks,
And what i I will add earliest=-24h to the query as well? It will always run the query and give results for the last 24 hours?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. Query will run for last 24 hours irrespective of Time Range set.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it, thanks a lot for your answer!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you're welcome.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
