- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Re: Real time alerts triggered several days after
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Real time alerts triggered several days after
I have a an alert with settings shown below. Somehow I'm getting alert emails for events that happened many days ago, whereas I was expecting it to trigger ONLY for real time events. I have verified that the alerts trigger fine for real time events, but why did it trigger for older events. Any ideas ?
On April 21, I received an alert email for an event that happened on Sun Apr 15
Settings ( the ones I think are relevant ).
Time Range: Start time=rt, Finish Time=rt
Schedule and alert: Schedule this alert checked
Alert: Condition=always, Alert mode=Once per result, Throttling=enabled.
Thanks,
Vikas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have timestamped your event incorrectly such that Splunk interprets it as having "happened in the future" then it will not age through your real-time window until well after it actually occurred. This is almost always a problem with TimeZones and you can get a good idea of what is happening (good or bad) with this search:
index=* | dedup date_zone splunk_server index host source | eval lagSecs=_time-_indextime | convert ctime(_indextime) as indextime| table _time indextime lagSecs date_zone splunk_server index host source
You are looking for sources where lagSecs<0 which indicate the types of events you are describing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's available in the internal field _indextime. It won't show in searches because it's internal, so you'll have to use eval first to get it to show:
... | eval indextime=_indextime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the respone.
How do I find when Splunk received the event ? Only timestamp I see on that entry is from a week ago.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When did Splunk actually receive the event? Might it be that it's an event with an older timestamp, but that it arrived just now to Splunk?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
