Reputation: 281
Splunk Alert - setting different threshold during the day
I need to set up splunk alert with the following scenario: Between 2:01 AM and 4:59 AM - If the count of 5xx error is less than 5 then send Alert Between 5:00 AM - 2:00 AM - If the count of 5xx error is less than 25 then send Alert Is there a way in Splunk to do this? Appreciate any help on this.
Upvotes: 0
Views: 393
Answers (1)
Reputation: 9926
There are a couple of ways to do that. The first is to define two alerts with different thresholds and cron schedules.
The second way is to have a single alert that tests the current time before deciding on a threshold.
| eval threshold = if((now() > relative_time(now(), "@d+2h")) AND (now() < relative_time(now(), "@d+5h")), 5, 25)
| where count > threshold
The relative_time function skews the first argument by the interval given in the second argument. In this case, the current time is set to midnight (0:00, "@d") plus 2 or 5 hours ("+2h" or "+5h").
Upvotes: 1
Related Questions
- How to search a given time range for every day in Splunk?
- Splunk Alert - setting severity based on duration of events
- Splunk Alert - custom trigger condition - trigger alert if percentage failure increase by 1% in last 15 minutes
- splunk and how to do alerting on the first/last business day
- Alerting in splunk for different thresholds
- Splunk Alert Creation
- Splunk: Throttling of alerts
- Splunk: Schedule alert to run every 10 minutes
- Splunk searching event logs to find values exceeding a given threshold
- Staggering cron alerts in Splunk?