Alerting

alert when search value not found for 30 min.

raindrop18
Communicator

I have set alert when the expected keyword missing from the log for 30 min. but I didn't get any alert I am wondering what I have missed. so the objective is if "customerID AND status 200" not found on the log for last 30 min to send me alert.

index=trans attributeName="CustomerID" AND "[status=200]" | head 1 | eval age = now() - _time

start time = -30m@m

Finish time = NOW
run every = 30minute
condition = if custom condition met
custom condition search = where age > 1800

Tags (2)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

When the conditions are not met for 30 mins, you alert search will not return any records hence no age calculation can take place.

You can achieve this in two ways

1) Check the age of last event which met condition and raise alert if the age is more than 30 minutes

index=trans attributeName="CustomerID" AND "[status=200]" | head 1 | eval age = now() - _time

start time = -60m@m
Finish time = now
run every = 30minute
condition = if custom condition met
custom condition search = where age > 1800

2) Check if any event present meeting that condition in last 30 min and if no event raise alert

index=trans attributeName="CustomerID" AND "[status=200]" | head 1 

start time = -30m@m
Finish time = NOW
run every = 30minute
condition = if number of events is greater than 0

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...