Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I change the time frame for real-time alerts?

ArsenyKapralov
Path Finder
‎07-19-2016 08:50 AM

Hi

I have a stream of events coming continuously, but with lag from the source which varies from 5 to 15 mins.
I want to run real-time searches based on these events, so I use rt-15m. But after search, I need to send email alerts based on search results. Problem is that in alerting settings, I can't set rt-15m, only rt.

How can I set up alerts to run in earliest=rt-30m latest=rt-15m time frame?

0 Karma
Reply

somesoni2
Revered Legend
‎07-19-2016 11:49 AM

The fixed latest time range value for any real-time search is "now", so it has to be rt only.(that way only it can have a sliding window for past so and so period). For your case, the lag varies from 5 to 15 mins and if you just use the rt-30m to rt, you should get all the events anyways.

Also, consider using a regular search running more frequenly as the real-time searches are expensive and should be avoided, if possible.
alt text

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...