Alerting

Why is my alert not being triggered when there are results while searching?

LuiesCui
Communicator

Hey guys, I'm new to Splunk and I really need ur help!!!
What I wanna do is to find out the most recent event and see the gap between the time of the event and now. If the gap is greater than 10 minutes, the alert is triggered. So I had a search string like this:

index=palink  
| stats max(_time) as LatestTime 
| eval Gap=(time()-LatestTime)  
| where Gap>600
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(LatestTime) 
| eval dtime=strftime(Gap,"%M:%S") 
| table LatestTime dtime

It worked well in search so I saved it as alert with following setting:

Title:         palink_alert
Alert type:     Scheduled
Time Range:    Run on Cron Schedule
Earliest:     @d+1h
Latest:     now
Cron Expression:    * /5 * * * *
Trigger condition:    Number of Results
Trigger if number of results:    is Greater than         0

When the gap is greater than 10 minutes, I can see the results if I click Open in Search. However, in the alert page it says "There are no fired events for this alert." How do I fix this problem?

Update:
It shows alerts when I make Alert Type=Real Time. But it shows nothing on search and alerts even it should not be triggered. I set as following:

Title:    pa_test
Alert type:     Real Time
Trigger condition:    Per-Result

So I tried to set as:

Title:    pa_test
Alert type:    Real Time
Trigger condition:    Number of Results
Number of results is:   Greater than    0
in:   1    minute(s)

And then it says "In handler 'savedsearch': windowed real-time per result alerts require field based alert throttling to be enabled." What should I do now?

Tags (2)
0 Karma

echalex
Builder

Hi LuiesCui,

Your Cron expression seems to have an extra space between the star and the slash:

* /5 * * * *

There should be no space there:

*/5 * * * *

This is assuming you want to run the search every five minutes and that the extra space isn't a copy-paste error.

0 Karma

LuiesCui
Communicator

Help...please...

0 Karma

satishsdange
Builder

Hi -
could you please make Alert Type=Real Time while saving an alert and see the result.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...