Solved: Scheduled alerts to get the latest event

fatjoe · ‎05-17-2017

How to I schedule an alert every five minutes to retrieve the latest index event for my source type?

When I run this query it gives me the latest event indexed.
sourcetype = MonitorLog | dedup Username | WHERE SecondsElapsed >= 300

LoggedTime,Username,AllocatedDirectorySize,UsedDirectorySize,PercentageUsage,LatestFileCreationTime,TimeElapsed,SecondsElapsed
5/17/2017 12:44:11 PM,amiro,300,314,105%,5/17/2017 12:01:30 PM,"0 days, 0 hours, 42 minutes, 41 seconds",2561.1242336

I set up a scheduled alert with the following cron job parameters:

Earliest: +0m@m
Latest: +5m@m
Cron expression: */5 * * * *

But its not working?
Any help is appreciated

woodcock · ‎05-17-2017

You are searching into the future; you need to search back to the past, like this:

Earliest: -5m@m
Latest: now

View solution in original post

woodcock · ‎05-17-2017

You are searching into the future; you need to search back to the past, like this:

Earliest: -5m@m
Latest: now

fatjoe · ‎05-17-2017

@woodcock, Thanks for the help......It is working now

Scheduled alerts to get the latest event

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life