The underlying search for this recipe is relatively simple. We are looking at the sensor metric data for any sensors that exceed a temperature of 23°c over a 5-minute period. When sensor data is detected that meets this criterion, Splunk fires an alert and generates a log event, with the pertinent information, in an index of our choosing.

Using the cron functionality of Splunk, we set the alert to run every 5 minutes and look back over the last 5 minutes. Each time the alert fires, it generates a log event into the index specified with the sourcetype of hvac:sensor:temp.

We leveraged token usage in the Log Event text to provide more meaningful data when the alert fires.