Solved: Re: Alert based on time range and message

Jiten009 · ‎04-09-2013

Hi All,

I want to set alerts based on the message in a particular time range. My logs look like :

08 Apr 2013 11:31:48,987 INFO Scheduler-Job-3 FileUtil - time=2013-04-08T11:31:48.987CDT,Level=Info,Message = File scheduler done

This task will execute every day at 11.30, so I want to set an alert if "File scheduler done" message is not appearing in logs between 11.30 to 11.40.

Please help me in creating such alert.

jonuwz · ‎04-09-2013

Try this definiing it this way :

search = "File scheduler done"
start time = @d+11h+30m
end time = @d+11h+40m
schedule type = cron
cron schedule = 45 11 * * *
alert condition = if number of events is equal to 0
alert mode = once per search

View solution in original post

Jiten009 · ‎04-09-2013

Hi,

I tried this way and its working. I am not sure if it fails to alert in any exceptional scenario.

earliest=@d+690m latest=@d+700m AND Message != "File scheduler done"

jonuwz · ‎04-09-2013

Try this definiing it this way :

search = "File scheduler done"
start time = @d+11h+30m
end time = @d+11h+40m
schedule type = cron
cron schedule = 45 11 * * *
alert condition = if number of events is equal to 0
alert mode = once per search

Jiten009 · ‎04-09-2013

Thanks for your help.

Alert based on time range and message

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation