Hi Splunk Users,
I created an alert using a field that I created and I only want to receive alerts where that field (it is a time stamp) is older than 2 days:
index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico" Looking_time=* | eval testDate=strptime(Looking_time,"%Y-%m-%d")
| where testDate < relative_time(now(),"-2d@d")
The search works and it gives results when tested in the search app. I made sure that the field has the right permissions and had another user test it and it does work as well.
However, when I create an alert using this search, it will not send emails when the error occurs.
When I click "View Recent" under Actions in "Searches, Reports, and Alerts", I see the that the search is at 100%, but it still says it is waiting to finish, so I am thinking somehow something is wrong in my search. However, when I use the search the search without the alert, it yields results.
I have tried several settings in my alert and it worked when I used the search like this:
index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico" Looking_time=*
However, it does not work when I give the | eval
part:
index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico" Looking_time=* | eval testDate=strptime(Looking_time,"%Y-%m-%d")
| where testDate < relative_time(now(),"-2d@d")
Thanks for your help!
Oliver
Try something like this
index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico" Looking_time=*
| where strptime(Looking_time,"%Y-%m-%d")< relative_time(now(),"-2d@d")
OR (I personally like this method)
index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico" [ |gentimes start=-1 | eval Looking_time=strftime(relative_time(now(),"-2d@d"),"%Y-%m-%d") | table Looking_time]
Try something like this
index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico" Looking_time=*
| where strptime(Looking_time,"%Y-%m-%d")< relative_time(now(),"-2d@d")
OR (I personally like this method)
index = wms "ReprocessCICOProcessor for login" AND "Failed while reprocessing the cico" [ |gentimes start=-1 | eval Looking_time=strftime(relative_time(now(),"-2d@d"),"%Y-%m-%d") | table Looking_time]
Thank you, those searches work as well. I don't why but the alert is sending now with the old search as well..
Be sure to click "Accept".
Make sure you have configured the email settings on the Search Head running the search: Settings > Sever Settings > Email Settings
Hope this helps