I am trying to create an alert to check for spikes in a record that is created once a minute with a number of created objects. This is the query I am currently using and it works fine to get what I want.
index=metrics sourcetype=created_regcart earliest=-1m latest=now | rename created_regcarts as nowRegCarts | join type=outer sorucetype [search index=metrics sourcetype=created_regcart earliest=-2m latest=-1m | rename created_regcarts as thenRegCarts] | eval percent=(((nowRegCarts-thenRegCarts)/thenRegCarts)*100)
The issue I am facing is I am using the Splunk API to check for fired alerts and creating a link so people can see the results. I don't want to use the job SID to show the results so I can have the job's expire after a reasonable time and still be able to view the results.
I am currently adding the time in seconds to the end of the query when I create a link so it will look like
The times I am using inside the query overwrite the earliest and latest time in the link and I am wondering if there is anyway to look at the last 2 minutes of a search based on the custom time added.
Thanks for all the help.
... View more
I am using the REST API to create a bot to search for triggered alerts every 30 seconds or so. I created saved searches as alerts on my personal splunk account from my company and everything worked fine.
curl -k -u [username]:[password] https://[host]/servicesNS/[username]/[app]/alerts/fired_alerts -d "output_mode=json" --get
I recently got a new splunk account specifically for the bot to use so I went and recreated the alerts I had previously created on the new account but when I run the API calls I am not getting any triggered alerts returned. I can see my test alerts in the alert manager and the alerts I created on the new account are exactly the same as the ones I had on my personal account.
I have tried deleting the saved searches on my personal account as well as recreating the searches on the bot account but I am unable to see the triggered alerts when I check for them using the API.
Any help would greatly appreciated.
edit: If I search for triggered alerts from all apps I am able to see other alerts that were created by other people but not the ones I created.
I can see the alerts that were triggered http://i.imgur.com/NcoDyy7.png but when I run the command I only get http://pastebin.com/6N9r82k1
... View more