Re: how to track if a transaction is taking more t...

kranthimutyala · ‎03-22-2021

Hi Splunkers,

we have a transaction which runs for every 4hours and usually take 5mins to complete.Im trying to set up an alert to trigger condition if the the transaction run time crosses more than 5mins.We don't have the privilege to setup real time alerts.So I tried with comparing the transaction start time with systime but not getting desired results and receiving false positives.And I need some setup like whenever the alert is completed within expected time(i.e 5mins) alert should no longer be triggered. Please help in this scenario.Thanks

hoaxm3 · ‎03-23-2021

If you have access to the rest query searches, you can run against the alert title and the runduration. Or look at the _audit index (Provides the same information)

- https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rest
- https://community.splunk.com/t5/Splunk-Search/How-to-create-a-scheduled-job-time-to-find-the-run-tim...

| rest /services/search/jobs 
| search title="Alert Name" 
| eval alert = if(runDuration>=300, "TRIGGER", "Normal") 
| search alert=TRIGGER

how to track if a transaction is taking more time with non real time alert

chart

eval

regex

rex

search job inspector

stats

subsearch

table

timechart

transaction

tstats

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...