I have this alert
[nitro_F308-failed-to-launch]
action.email.inline = 1
action.summary_index = 1
action.summary_index._name = nitro_splunk_summary
alert.digest_mode = True
alert.expires = 10s
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 1 8 * * *
description = F308 Failed to Launch before 8:00 AM
enableSched = 1
realtime_schedule = 0
search = index=nitro_ecomm sourcetype=nitro_log "[name=F308]] launched" earliest=@d latest =@d+8h | stats count as JobCount | where JobCount < 1 |eval Weight="50" | eval Metric="Health" | eval _time=now()|eval Metric_Category="Application"| eval Metric_Type="Error" | eval Application="Batch" | eval Key="Host" | eval Frequency="24 hour" | eval ID="NA" | eval Description="F308 did not launch before 8:00 AM" | eval Value=JobCount | eval Alert_Type="Critical" | eval Service-Now_Assignment_Group="EC-IScore"| eval Alert="Yes" | eval Violation=1 | eval Search_name="nitro_F308-failed-to-launch" | table _time Metric_Category Metric Metric_Type Application Key ID Description Frequency Value Alert_Type Alert Service-Now_Assignment_Group Weight Violation Search_name
disabled = 0
This alert continues to fire even though it did launch before 8am everyday, any specific reasoning did I write this incorrectly?
↧