Issue with Alerting- Why is it not working anymore...

praneethlekkala · ‎04-27-2023

Hi

I have an issue with alerting and its not working anymore, what am i doing wrong?

My Query:

index="content" source="catalina.out" "org.apache.catalina.startup.Catalina.start Server startup" NOT Caesium | rex field=_raw "(?ms)^(?P<boot_end>\\d+\\-\\w+\\-\\d+\\s+\\d+:\\d+)(?:[^ \\n]* ){7}(?P<boot_time>\\d+)" offset_field=_extracted_fields_bounds

| eval epoch_time = _time




| eval boot_sec = boot_time * 0.001
| eval boot_min = boot_sec/60
| eval sub_time = epoch_time - boot_sec
| eval human_epoch_time = strftime(epoch_time,"%y-%m-%d %H:%M:%S")
| eval human_sub_time = strftime(sub_time,"%y-%m-%d %H:%M:%S")
| table human_epoch_time boot_sec boot_min human_sub_time host

Output:

I am not getting the duration anymore

:Alert email that i am getting doesnt contain duration , initiated at :

application has been started on node host.

Start Up Initiated at .

Start Up Completed at 23-04-27 07:46:12 .

Start Up Duration is minutes .

human_epoch_time boot_sec boot_min human_sub_time host

23-04-27 07:46:12

host

somesoni2 · ‎04-27-2023

Does running the alert search manually fetches proper results? Start with this base search and slowly add portions of your search, one at a time, to troubleshoot in which steps extraction/calculations are failing

index="content" source="catalina.out" "org.apache.catalina.startup.Catalina.start Server startup" NOT Caesium
| table _time _raw host

Issue with Alerting- Why is it not working anymore?

alert action

alert condition

email

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?