I have created this SPLUNK alert, which is logged as below:
Oct 4 19:03:46 psdkxs01 alert-splunk: MID=SxxI002E;DAT="xxxxxxxx timeout"
The alert is triggered when x number of MID=CxxI002W
has been issued within the last 10 minutes.
Now I want to create an 'OK' alert on following conditions:
If MID=CxxI002W
has not been issued for the last 10 minutes - AND MID=SxxI002E
has been issued within the last 20 minutes - the OK alert has to be issued.
The logs for MID=CxxI002W looks like this:
Oct 4 19:06:01 psdkxp05 MID=CxxI002W;;STM=2011-10-04 19:06:01,475
How do I accomplish this?
Maybe try something like (substitute in your own sourcetype) :
sourcetype=foo earliest=-10m@m MID=CxxI002W | stats count as a | join [search sourcetype=foo earliest=-20m@m MID=SxxI002E | stats count as b ]
Then set the Alert condition to "if custom condition is met"
And set the "Custom condition search" to be :
search a = 0 AND b > 0
Thats a nice workaround, but in that case we have to configure 2 Search for each thing beeing monitored...
Splunk need some kind of ok condition to fire an "all ok" alert, and remove the entry in "alerts" this is missing
cool...don't forget to "accept" the answer...helps out splunkbase.
GREAT - thank you! I did try something similar with the earliest=-10m and earliest=-20 minutes - but got stuck with an error message. You have solved my problem.