Hey guys, I'm new to Splunk and I really need ur help!!!
What I wanna do is to find out the most recent event and see the gap between the time of the event and now. If the gap is greater than 10 minutes, the alert is triggered. So I had a search string like this:
index=palink
| stats max(_time) as LatestTime
| eval Gap=(time()-LatestTime)
| where Gap>600
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(LatestTime)
| eval dtime=strftime(Gap,"%M:%S")
| table LatestTime dtime
It worked well in search so I saved it as alert with following setting:
Title: palink_alert
Alert type: Scheduled
Time Range: Run on Cron Schedule
Earliest: @d+1h
Latest: now
Cron Expression: * /5 * * * *
Trigger condition: Number of Results
Trigger if number of results: is Greater than 0
When the gap is greater than 10 minutes, I can see the results if I click Open in Search. However, in the alert page it says "There are no fired events for this alert." How do I fix this problem?
Update:
It shows alerts when I make Alert Type=Real Time. But it shows nothing on search and alerts even it should not be triggered. I set as following:
Title: pa_test
Alert type: Real Time
Trigger condition: Per-Result
So I tried to set as:
Title: pa_test
Alert type: Real Time
Trigger condition: Number of Results
Number of results is: Greater than 0
in: 1 minute(s)
And then it says "In handler 'savedsearch': windowed real-time per result alerts require field based alert throttling to be enabled." What should I do now?
Hi LuiesCui,
Your Cron expression seems to have an extra space between the star and the slash:
* /5 * * * *
There should be no space there:
*/5 * * * *
This is assuming you want to run the search every five minutes and that the extra space isn't a copy-paste error.
Help...please...
Hi -
could you please make Alert Type=Real Time while saving an alert and see the result.