Hi All, I have used the below query to capture the **splunk service status (Up or Down) via splunkd.log**. When executed with the time stamp as yesterday we are getting the output. But I want to configure an alert, to run this query for every 15 min and trigger an email alert with the output result.
Query Details :
**index=_internal host=hs* sourcetype=splunkd source="/opt/splunk/var/log/splunk/splunkd.log" "ShutdownHandler - shutting down level" OR "TailingProcessor - Shutting down with*" | stats earliest(_time) AS Earliest, values(linecount) as Failures by host | convert ctime(Earliest)|addcoltotals label="Total" labelfield="Total_Number_of_Failures**
Below are the configuration steps done to trigger an alert for every 15 min
1) Set Alert type -> Scheduled
2) Time Range --> Run on Cron Scheduled
3) Earliest --> -15m
4) Latest --> now
5) Cron Expression --> */15 * * * *
6) Trigger condition --> Number of Results
7) Trigger if number of results --> if less then 0
8) Email Action --> Send Email
9) Include result --> inline
10) Action option --> Once
**Splunk version - 6.0.3**
Kindly guide me on how to fix this problem to generate an alert for every 15 mins
thanks in advance.
↧