How do you create an alert in Splunk that checks a...

nls7010 · ‎01-11-2019

I need to create an alert that checks for a particular code number, and when it comes in, then if another code doesn't come in within 4 hours, a ticket is cut. I know how to check for the first code, but I'm not certain how to do the span and search for the 2nd code number.

woodcock · ‎01-13-2019

Assuming that you have a field like account that you need to group by, run something like this every hour with the timepicker set to "Last 5 Hours" (set your alert trigger to when = number of results and is greater than 0)

| makeresults 
| eval account="foo bar bat"
| makemv account
| mvexpand account
| eval code=case(account=="foo", "start middle middle stop", account=="bar", "stop", true(), "start")
| makemv code
| mvexpand code
| stats max(_time) AS _time first(code) AS code BY account
| where code=="start" AND _time <= relative_time(now(), "-240min")

richgalloway · ‎01-11-2019

This may get you started.

<your search for the code number> earliest=-4h | stats count | where count<2

---
If this reply helps you, Karma would be appreciated.

nls7010 · ‎01-11-2019

So I'm assuming that after that part of the code I would put in the if count not zero, send alert?

richgalloway · ‎01-12-2019

Not quite. Leave the query as it is and set your alert to trigger if the number of results is not zero.

---
If this reply helps you, Karma would be appreciated.

nls7010 · ‎01-14-2019

I will give this a try.

How do you create an alert in Splunk that checks a file for one code and then must see another code within 4 hours or a ticket is cut?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor