I understand how to create a real time alert that runs every hour or 5 minutes or whatever, but to my understanding that alert is based on the time stamp on the log we are alerting on. But I have machines that are potentially offline for periods meaning that is possible for that alert to be missed as those logs wouldn't be uploaded until it reconnects to spunk and it is possible for it to miss the alert window.
So would like to use the idea produced in answers 42646
| eval delay=_indextime-_time | bucket bins=30 delay
(i can't post links so that's the best i can do)
but i don't understand how to get that working for a alert when most of the time you program the run (kron) time in the GUI and not in the query its self.
... View more