×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
AlexRP
Explorer
Member since: ‎12-16-2022
‎12-17-2022
Community Statistics
Posts 3
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎12-16-2022
Activity Feed
Topics I've Started
View All

Re: Customizing the time scope of alerts

by in Alerting
‎12-19-2022 10:55 AM
‎12-19-2022 10:55 AM
Hey Gisuppe I was trying out this solution. Can you clarify something for me, please? In the following, what does 43100 and 14400 represent?  Is it possible just to add 8 hours to the 'earliest' variable and have my search use that value instead, effectively always using the last 4 hours when my search triggers at 12p, 4p, and 8p? eval timeframe=if(strftime(now(),"%H")=8,43200,14400)   ... View more

Re: Customizing the time scope of alerts

by in Alerting
‎12-19-2022 07:07 AM
‎12-19-2022 07:07 AM
wow! thank you so much for this solution. i didn't realize i could open up the query in this way.  i've learned something new. thanks again! ... View more

Customizing the time scope of alerts?

by in Alerting
‎12-16-2022 05:58 PM
‎12-16-2022 05:58 PM
First time posting here, and I'm a new user to Splunk. I'd love to get some advice on setting up an alert. I want it to trigger at 8am, 12pm, 4pm, and 8pm. I've set my Cron schedule to "* 8,12,16,20 * * *".  For the search's time scope, I'd like the following 8am trigger should have a search range of -12 hours to the current time. 12pm, 4pm, and 8pm triggers should have a search range of -4 hours to the current time I've set my range time to be -12 (earliest) to the current time (now), but the 12pm, 4pm, and 8pm triggers are getting results that had already been part of the result set from the 8am trigger. Does Splunk know when a result has been previously reported, or is there a way I can filter those out using the search query? How does the expire parameter work? Can I leverage it in a way that I won't get previously reported results? Would I have to set up a separate alert for the 8am trigger, even though (aside from the 12 hour lookback) it does the same thing and serves the same purpose of an alert that would encompass the other times? Here's what search and the time range looks like on my alert. Thanks in advance for the guidance! index="slPlatform" environment="Development" Application="AP_post_EmployeePayload_To_EmployeeProfile" | where eventLogLevel like "CRITICAL%"     ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎12-17-2022 01:51 AM
Karma given to
View All