Splunk Search

how to track if a transaction is taking more time with non real time alert


Hi Splunkers,

we have a transaction which runs for every 4hours and usually take 5mins to complete.Im trying to set up an alert to trigger condition if the the transaction run time crosses more than 5mins.We don't have the privilege to setup real time alerts.So I tried with comparing the transaction start time with systime but not getting desired results and receiving false positives.And I need some setup like whenever the alert is completed within expected time(i.e 5mins) alert should no longer be triggered. Please help in this scenario.Thanks



Tags (1)
0 Karma


If you have access to the rest query searches, you can run against the alert title and the runduration. Or look at the _audit index (Provides the same information)


| rest /services/search/jobs 
| search title="Alert Name" 
| eval alert = if(runDuration>=300, "TRIGGER", "Normal") 
| search alert=TRIGGER

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!