During alert creation, if I enable Summary Indexing, how can I tell splunk to use a time field in the data rather than adding one?
DETAILS:
I have set up an alert with a search that returns a set of fields. The search looks like this:
index=si-br-counts earliest=-30d@d latest=-1d@d |stats count as count sum(filesize) as volume by site, server,priority, _time | bin _time span=1d | eval weekday=strftime(_time,"%w") | eval sub_weekday=strftime(now(), '%w") | eval sub_weekday= subweekday -1 | where weekday==sub_weekday | stats sum(volume as volume sum(count) as count by site,server, _time |stats avg(count) as avgcount avg(volume) as avgvolume by site, server | appendcols [search index=si-br-counts earliest=-1d@d latest=-0d@d | stats count as count sum(filesize) as volume by site, server,priority, _time | eval sub_weekday=strftime(_time,"%w") | stats sum(count) as count sum(volume) as volume by sub_weekday, site,server] |lookup br-alerting.csv site as site server as server OUTPUT lower as lower upper as upper email as recipients site as fsite server as fserver|where fsite==site AND fserver==server |eval highcount=(avgcount*upper) | eval lowcount=(avgcount*lower) | eval highvol =(avgvolume*upper) | eval lowvol=(avgvolume*lower) | eval trigger_time=now() |fields trigger_time, site, server, count, volume, lowcount, highcount, lowvol, highvol
I have checked the Enable Summary Indexing box and added two fields alert_name and app_name.
After the alert fires, I search the summary index for the last 24 hours. No results. If I change to All Time, I can find my events. They have _time set to the minimum date in the search (which is 30 days ago). This is NOT what I want. I would like _time to be set to the value of the field trigger_time so that I can search easily changing the time from the pulldown. How can I make this happen?
↧