Solved: How to set up a scheduled alert based on a matchin...

thompsonsgg · ‎09-29-2016

Hello,
I would like to set up a scheduled alert that triggers when a field value is matching for 2 hours.

To give a further explanation, when our job runs long or stops running, one of the fields remains the same. This is okay as sometimes the jobs do run long and still complete, but if it runs over two hours it is something that needs to be looked into. Please find my attached search results. I would like to alert when the "ConfigVal" field displays the same timestamp for 2+ hours.

Does anyone know what my search criteria would be for this?

somesoni2 · ‎09-29-2016

Try something like this

your base search with time range earliest=-3h@h latest=@h | bucket span=1h _time | stats dc(_time) as NoOfHrs by ConfigVal | where NoOfHrs>2

View solution in original post

somesoni2 · ‎09-29-2016

Try something like this

your base search with time range earliest=-3h@h latest=@h | bucket span=1h _time | stats dc(_time) as NoOfHrs by ConfigVal | where NoOfHrs>2

thompsonsgg · ‎09-29-2016

This worked, thanks!!

sundareshr · ‎09-29-2016

Try this

your base search | bin span=2h _time | eventstats dc(ConfigVal) as dcConfigVal by _time | where dcConfigVal=1

thompsonsgg · ‎09-29-2016

Thanks for your response Sundares, unfortunately it doesn't seem to work.

When using the bin span=2h _time portion of the search, I am not finding any results. When I take that portion out I do get results, but they are the same results as just looking at the log on it's own.

How to set up a scheduled alert based on a matching field over a specific span of time?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life