The process has been to set up an alert to look back 1 minute with a snap to the start and end of the minute.
This process would not trigger on all log entries. The process was changed to a 5 minute process that would look back 5 minutes and process every log entry.
This would still not report all log entries. One minute look back schedule missed a small number of entries but with a 5 minute look back it is missing large sections of entries.
When I run the SPL query in Splunk it shows the missing log entries that should be in Glip.
How can I get Splunk to trigger an action on all log entries with no more than a 5 minute look back? [Search 5min Configuration]
(https://i.stack.imgur.com/RmEaq.png)
↧