Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all articles
Browse latest Browse all 47296

Two time period search with summary index or kvstore

$
0
0
We have a rare query from a team and situation is - The team needs to immediately get an alert (within 5 minutes) - The team don't want to miss an alert (even if there is a network delay or indexing delay or some issues) - Also the alert cannot be duplicated if it is already alerted - Alerting is done on the event-time (and not indextime) So an event comes in real-time, then there is no problem. But if there are network issues, and assume the event got delayed by 6 minutes they need a sweep up of such delayed alert, so it will be still alerted, but NOT shown duplicate I thought of an option to - have two searches (SavedSearch1 => one which runs every 5mins, searching for previous 5 mins) & (SavedSearch2=> which runs every 5 mins but sweeps events in last 60mins). - Summary index the SavedSearch1 and SavedSearch2 should compare if it is already there in the summary index using same time So my query is Have you guys done this similar situation? Is there any other better option?

Viewing all articles
Browse latest Browse all 47296

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>