Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create alert when same warning keep coming for more than 5 hours

JYTTEJ
Communicator
‎06-28-2011 03:11 AM

During maintenance we get the same application alert: MON001E on each trx. I want to set up an alert if application alert MON001E keep coming for more than 5 hours.

The search is to be scheduled to run each hour 24/7

If this application alert (MON001E) keep coming for more than 5 hours, SPLUNK must give an alert.

Example:no SPLUNK alert:

First MON001E at 01:00:00

Last MON001E at 05:00:00

Example: SPLUNK Alert:

First MON001E at 02:00

Last MON001E at 09:00

SPLUNK must alert at 08:00

Will this search do the trick?:

MID=MON001E earliest-6h latest=-1h

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

joelshprentz
Path Finder
‎06-28-2011 02:49 PM

Try this search:

MID=MON001E earliest=-6h@h latest=@h | timechart span=1h count | eval count=min(1, count) | stats sum(count) as alertHours

Send an alert whenever alertHours > 5.

The search collects six hours of data matching MON001E. The timechart counts how many matches occur in each of the six hours. The eval limits those counts to be either 0 (no matches) or 1 (at least one MON001E). The stats totals the number of hours with at least one MON001E.

I interpreted your question as, "Send an alert whenever MID=MON001E occurs in six consecutive hours."

View solution in original post

Reply
Solved! Jump to solution
Solution

joelshprentz
Path Finder
‎06-28-2011 02:49 PM

Try this search:

MID=MON001E earliest=-6h@h latest=@h | timechart span=1h count | eval count=min(1, count) | stats sum(count) as alertHours

Send an alert whenever alertHours > 5.

The search collects six hours of data matching MON001E. The timechart counts how many matches occur in each of the six hours. The eval limits those counts to be either 0 (no matches) or 1 (at least one MON001E). The stats totals the number of hours with at least one MON001E.

I interpreted your question as, "Send an alert whenever MID=MON001E occurs in six consecutive hours."

Reply
Solved! Jump to solution

JYTTEJ
Communicator
‎06-29-2011 03:53 AM

great! Thank you very much

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...