I have a problem triggering an alert on a splunk request based on a cron job that runs this way:
Search query:
index=pdx_pfmseur0_fxs_event sourcetype=st_xfmseur0_fxs_event
| eval
trackingid=mvindex('DOC.doc_keylist.doc_key.key_val',mvfind('DOC.doc_keylist.doc_key.key_name', "MCH-TrackingID"))
| rename gxsevent.gpstatusruletracking.eventtype as events_found
| rename file.receiveraddress as receiveraddress
| rename file.aprf as AJRF
| table trackingid events_found source receiveraddress AJRF
| stats values(trackingid) as trackingid, values(events_found) as events_found, values(receiveraddress) as receiveraddress, values(AJRF) as AJRF by source
| stats values(events_found) as events_found, values(receiveraddress) as receiveraddress, values(AJRF) as AJRF by trackingid
| search AJRF=ORDERS2 OR AJRF=ORDERS1 | stats count as total | appendcols [search index= idx_pk8seur2_logs sourcetype="kube:container:8wj-order-service" processType=avro-order-create JPABS | stats dc(nativeId) as rush ] | appendcols [search index= idx_pk8seur2_logs sourcetype="kube:container:9wj-order-avro-consumer" flowName=9wj-order-avro-consumer customer="AB" (message="HBKK" OR message="MANU") | stats count as hbkk] | eval gap = total-hbkk-rush | table gap, total, rush
| eval status=if(gap>0, "OK", "KO")
| eval ressource="FME-FME-R:AB"
| eval service_offring="FME-FME-R"
| eval description="JPEDI - Customer AB has an Order Gap \n \nDetail : JPEDI - Customer AB has an Order Gap is now :" + gap + "\n\n\n\n;support_group=AL-XX-MAI-L2;KB=KB0078557"
| table ressource description gap total rush description service_offringe_offring
I received three alerts containing the same result according to cron job
Your cron expression determines when the report is executed, not the period it covers - in your scenario, the report will run at 50 minutes past the hour for the hours 8am to 9pm, i.e. 8:50 to 21:50. You should then look at throttling of the alert. You may need to have 3 reports, one for each period, so that a new throttle kicks in for each period.
yes i need to have 3 reports
I believe to reduce the frequency of triggering alerts I have to configure a period during which I delete the results??