Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I change the time frame for real-time alerts?

ArsenyKapralov
Path Finder
‎07-19-2016 08:50 AM

Hi

I have a stream of events coming continuously, but with lag from the source which varies from 5 to 15 mins.
I want to run real-time searches based on these events, so I use rt-15m. But after search, I need to send email alerts based on search results. Problem is that in alerting settings, I can't set rt-15m, only rt.

How can I set up alerts to run in earliest=rt-30m latest=rt-15m time frame?

0 Karma
Reply

somesoni2
Revered Legend
‎07-19-2016 11:49 AM

The fixed latest time range value for any real-time search is "now", so it has to be rt only.(that way only it can have a sliding window for past so and so period). For your case, the lag varies from 5 to 15 mins and if you just use the rt-30m to rt, you should get all the events anyways.

Also, consider using a regular search running more frequenly as the real-time searches are expensive and should be avoided, if possible.
alt text

Preview file
14 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...