Hi,
I have set up a Alert as such
index=rest because the offer is shutoff. partnerId="*" host="*-prd-rst*" | stats count by partnerId,offerId | lookup partneridlookup partnerId OUTPUT RetailerName |sort count DESC
In the timeframe, I have chosen "Relative - 2 hours Ago". The alert is set on a cron as 0 */2 * * *
[to run every two hours].
For some reason, every time this Alert is triggered, timeframe run is for "All time". It does on run for the 2 hours window provided.
The issue seems to be only with this Alert. My other Alerts work fine. Any pointers would be helpful.
Relative Timeframe for previous 2 hours should work as selected. However if you want to force the time window on your search you can add the same to your base search as well...
<Your Base Search> earliest=-2h latest=now | <Your remaining Search>
The alert should be using the timeframe you set when you created the alert.
Navigate to the alerts section of the app you are working in, or go to Settings > Searches, Reports, Alerts and open your alert for editing.
Please share your settings here:
As you can see my alert triggers every 5 minutes and looks back 5 minutes.
Let's make sure you have vaild time selectors in the configuration of the alert.
Relative Timeframe for previous 2 hours should work as selected. However if you want to force the time window on your search you can add the same to your base search as well...
<Your Base Search> earliest=-2h latest=now | <Your remaining Search>