About splunking1

splunking1 · ‎01-30-2023

That makes a lot of sense. Thank you so much. One final question: If I were to extend your query to different host; would it still work? ....CB_STATE_TRANSITION | stats latest(_time) as _time, latest(toState) as toState by host | where (toState="OPEN" AND _time < relative_time(now(), "-5m")) I have different hosts and it is possible that the alert does not trigger for one of them even though the state was set to open for the last 5 minutes due to the state transitioning to closed. That would be a false positive so I want to account for each host separately. I will accept your answer once this thread is closed so don't worry 🙂

splunking1 · ‎01-29-2023

I appreciate the reply. I am curious about the issue with my approach. Conceptually, it makes sense. What is the problem with that approach? Just trying to understand.

splunking1 · ‎01-27-2023

I am trying to create an alert when the field toState changes to OPEN and stays in that OPEN state for 5 minutes. I have tried the following but it is not working. Would appreciate if I get some pointers. ... CB_STATE_TRANSITION | timechart span=5m count(toState="OPEN") as state | stats count | where count > 1 I have the alert run every 5 minutes and triggers when the number of results > 0.

Posts	3
Solutions	0
Karma Given	3
Karma Received	0
Member Since	‎01-27-2023

Online Status	Offline
Date Last Visited	‎01-31-2023 06:21 PM

How to trigger an alert if the condition remains f...

Re: How to trigger an alert if the condition remai...

Re: How to trigger an alert if the condition remai...

How to trigger an alert if the condition remains f...