Re: How to configure a timechart alert to not trig...

raindrop18 · ‎04-16-2016

I am trying to set up an alert based on time chart. My objective is to check user logins, and if no user logged in for 1 hour, send me alert. Also, I don't want to be sent an alert between 1am-5am because of the low traffic on my site during this time frame. This what I have tried, but not working.

index=mysite host=webserver* "user-loggedin" |where NOT (date_wday=monday OR date_wday=tuesday OR date_wday=wednesday OR date_wday=thursday OR date_wday=friday OR date_wday=saturday OR date_wday=sunday) AND (date_hour >=2 AND date_hour<=6)   | timechart count as count span=1hr

The alert should trigger if the count less than 0.

thanks

woodcock · ‎04-26-2016

First of all, NEVER use the "free" date_* fields because they are pre-TZ-normalized values so they sometimes do not exist and when they do, they are always wrong; you must make your own and use those.

Secondly, your NOT clause includes ALL DAYS so there is nothing left to use! 😆

Try this:

 index=mysite host=webserver* "user-loggedin"
| eval date_hourmin=strftime(_time, "%H%M") | eval date_wday = strftime(_time, "%w")
| search (date_hourmin<=100 OR date_hourmin>=500)
| timechart count span=1h

sundareshr · ‎04-16-2016

If I understand your use case, you want to a blackout period between 1am & 5 am, right? For this, you should setup a cron schedule, something like this

1 0-2,5-23 * * *

You could also restrict your search to run only on the last hours data, like this

index=* earliest=-1h@h | ...

How to configure a timechart alert to not trigger between a certain time frame (1:00am - 5:00am)?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases