Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

trigger an alert if a process is taking more than the expected time

kranthimutyala
Path Finder
‎03-24-2021 08:33 AM

Hi Splunkers,

I have the below logs and trying to create an alert if a process run is taking more than the expected time.

2021-03-24T14:00:14.8 STATUS=Successful,ACTIVITY AT=2021-03-24T14:00:14,ACTION TYPE=Process started

2021-03-24T14:05:21.54 STATUS=Successful,ACTIVITY AT=2021-03-24T14:05:21,TYPE=Process finished

Im using the below query to track the same but it is triggering an alert even if the process is completed well within the limit

index="abc" TYPE="Process started"
| eval last_seen=_time
| eval mins_since = round((now() - last_seen) / (60))
|table mins_since |search mins_since>10

From the above logs the alert shouldn't trigger since process has finished in 5mins but i'm getting false positives.The alert should trigger only if Process is not finished and mins_since>10.

I tried search TYPE!="Process finished" AND mins_since>10 but still not getting desired results.Please help me in this scenario.Thanks.

 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-24-2021 08:55 AM

Hi @kranthimutyala,

Since you are not checking if Process finished or not  result may wrong. Please try this.

index="abc" TYPE="Process started"
| dedup TYPE | head 1
| eval mins_since = round((now() - _time) / 60)
| where TYPE="Process started" AND mins_since>10
| table min_since
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-24-2021 08:55 AM

Hi @kranthimutyala,

Since you are not checking if Process finished or not  result may wrong. Please try this.

index="abc" TYPE="Process started"
| dedup TYPE | head 1
| eval mins_since = round((now() - _time) / 60)
| where TYPE="Process started" AND mins_since>10
| table min_since
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...