- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- I have a search using a field I created and it pro...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splunk Users,
I created an alert using a field that I created and I only want to receive alerts where that field (it is a time stamp) is older than 2 days:
index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico" Looking_time=* | eval testDate=strptime(Looking_time,"%Y-%m-%d")
| where testDate < relative_time(now(),"-2d@d")
The search works and it gives results when tested in the search app. I made sure that the field has the right permissions and had another user test it and it does work as well.
However, when I create an alert using this search, it will not send emails when the error occurs.
When I click "View Recent" under Actions in "Searches, Reports, and Alerts", I see the that the search is at 100%, but it still says it is waiting to finish, so I am thinking somehow something is wrong in my search. However, when I use the search the search without the alert, it yields results.
I have tried several settings in my alert and it worked when I used the search like this:
index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico" Looking_time=*
However, it does not work when I give the | eval part:
index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico" Looking_time=* | eval testDate=strptime(Looking_time,"%Y-%m-%d")
| where testDate < relative_time(now(),"-2d@d")
Thanks for your help!
Oliver
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico" Looking_time=*
| where strptime(Looking_time,"%Y-%m-%d")< relative_time(now(),"-2d@d")
OR (I personally like this method)
index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico" [ |gentimes start=-1 | eval Looking_time=strftime(relative_time(now(),"-2d@d"),"%Y-%m-%d") | table Looking_time]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico" Looking_time=*
| where strptime(Looking_time,"%Y-%m-%d")< relative_time(now(),"-2d@d")
OR (I personally like this method)
index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico" [ |gentimes start=-1 | eval Looking_time=strftime(relative_time(now(),"-2d@d"),"%Y-%m-%d") | table Looking_time]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, those searches work as well. I don't why but the alert is sending now with the old search as well..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Be sure to click "Accept".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure you have configured the email settings on the Search Head running the search: Settings > Sever Settings > Email Settings
Hope this helps
Index This | I’m short for "configuration file.” What am I?
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Your Guide to SPL2 at .conf24!
