Alerting

set an alert if the job doesn't run on particular day

tvijaykumar2405
New Member

I want to setup an alert if the job is not running on particular day,
Ex: JOB=ABC123 dint run today i have setup cron to check between 1-2:15 if it is not running in the mentioned time period, Alert should be triggered.

Query:
index=abc source=ABC (JOB="AB123" OR JOB="CD345") STATUS="Missed"
| eval "Execution_Time" = strftime(_time,"%I:%M %p")
|stats latest(JOB_END_TIME) as END_TIME latest(STATUS) as STATUS values(JOB) as JOB by Execution_Time
| eval TC1=if((JOB="AB123" AND Execution_Time>"02:15 AM") OR STATUS="Missed",1,0)
| eval TC2=if((JOB_NAME="CD345" AND Execution_Time>"02:10 AM") OR STATUS="Missed",1,0)
| eval Desc=case(TC1="1","Triggering for JOB 123 Failed", TC2="1","Triggering for JOB 234 Failed", 1=1,0)
|search TC1=1 OR TC2=1
|table JOB Desc Execution_Time

Also "Desc" is displaying only "Triggering for JOB 123 Failed" though TC2=1 matches

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If STATUS is "Missed" then both TC1 and TC2 will be set. The case statement selects the first expression that matches, which is always TC1 in this case.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...