Solved: Alert - Time interval

monteirolopes · ‎09-30-2016

Hi,

I am using the function:

| stats count(name) AS x by name | where x >4

Results:

name count(name)
Paul 10
John 3

I would like to receive alerts when the number of names (count(name)) is greater than 4 in a 5 minutes time interval, after five minutes, the count will reset and start count again.
This alert must be set in real time or Cron Scheduled time? How Can I define 5 minutes on Cron Expression?

Best Regards,
Monteiro.

gcusello · ‎09-30-2016

You have to configure an alert using your search with a time period of 5 minutes and schedule it with this cron definition

*/5 * * * *

Bye.
Giuseppe

View solution in original post

somesoni2 · ‎09-30-2016

If, you're ok with a delay of 5min to get the alert, run on Cron schedule time. Real-time alerts are expensive and they never complete. See @Cusello's answer for 5 min cron.

gcusello · ‎09-30-2016

You have to configure an alert using your search with a time period of 5 minutes and schedule it with this cron definition

*/5 * * * *

Bye.
Giuseppe

lyndac · ‎09-30-2016

I believe the cron expression you are looking for is: 5 * * * *

somesoni2 · ‎09-30-2016

Nopes... this is for running a search hourly at 5th min.

lyndac · ‎09-30-2016

Giuseppe is correct above, that is what I thought I typed, but apparently my fingers went another way.
Sorry. */5 * * * * is the correct one.

Alert - Time interval

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!