Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create alert if no up alert received within 1 minutes?

Raymundo
Loves-to-Learn
‎03-21-2023 07:35 PM

I have two types of events when the interface is down and when it is up


It usually happens that the interface comes down, after 10 seconds it goes back up.

* An event arrives where it tells me that the interface is down
* Another event arrives where it tells me that the interface is up and it was down for 10 seconds.

I would like to alert if the interface does not come back up in a period of 1 minute.

I have tried several options but I have not been able to make it alert.

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-21-2023 10:07 PM

Hi @Raymundo ,

I suppose that the messages are: system_down and system_up, otherwise adapt my search:

index=your_index (message="system_up" OR message="system_down")
| eval status=if(message="system_up","system_up","system_down")
| stats dc(status) AS status_count values(status) AS status
| where dc_status=1 AND status="system_up"

to run every minute.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...