topic Re: Customized Query in Splunk Enterprise

How to create an alert when SuccessRate is Less than 40, and then it should trigger an email alert?

Ash1 — Mon, 17 Apr 2023 21:01:34 GMT

From the below query i want to get the alert when SuccessRate is Less than 40, it should trigger an email alert with customise message like "SuccessRate is less than 40 %, please take action."

how can i do this??

index=app-code host_ip=34.23.234.12
|search activity=done
|eval result=if(like(responseHttp, "200"), "Success", "error")
|stats count (eval(result="Success")) as Total_Success, count(responseHttp) as Total
|eval Success_Count=(Total_Success/Total)*100.0
|stats avg(Success_Count) as SuccessRate
|where SuccessRate <40

Re: Customized Query

inventsekar — Fri, 14 Apr 2023 22:15:19 GMT

Hi @Ash1 please check this Alerts documentation.. you can look for "tokens" in this pdf file..

let us know if you are stuck, we can help you.. thanks..

https://docs.splunk.com/Documentation/Splunk/9.0.2/Alert/Aboutalerts

https://docs.splunk.com/Documentation/Splunk/9.0.4/Alert/Emailnotification

https://docs.splunk.com/Documentation/Splunk/latest/Alert/Setupalertactions

Re: Customized Query

Ash1 — Sat, 15 Apr 2023 02:43:18 GMT

Hi @inventsekar here the message i want to display in mail is static message which is not mentioned in my logs to use tokens.

At the end of my query i tried to use

|Eval SuccesRate=if(Success rate<40, "SuccessRate is low, please take action." )

But this is not working

Re: Customized Query

inventsekar — Sat, 15 Apr 2023 03:22:53 GMT

index=app-code host_ip=34.23.234.12 |search activity=done |eval result=if(like(responseHttp, "200"), "Success", "error") |stats count (eval(result="Success")) as Total_Success, count(responseHttp) as Total |eval Success_Count=(Total_Success/Total)*100.0 |stats avg(Success_Count) as SuccessRate |where SuccessRate <40

you mean, this search query is not working ah.. pls run this search query line by line, so that you can understand which part of this query didnt work..

Re: Customized Query

Ash1 — Sun, 16 Apr 2023 01:49:10 GMT

Hi @inventsekar , my query is working but i want to display customised message in the email when success percentage is less than 40.

For that i tried adding the below eval to the end of my query, but this message is not showing up when i run in splunk.

|Eval SuccesRate=if(Success rate<40, "SuccessRate is low, please take action." )

How can I do it???

Re: Customized Query

inventsekar — Sun, 16 Apr 2023 01:59:52 GMT

1). Ur query is working fine. Good..

2). Is the the alerts working as expected?

3). When alert fire, you want the subject line or the body.. which one you want to customize

4) did you try the tokens( $variable$ ) idea..

Re: Customized Query

woodcock — Sun, 16 Apr 2023 20:23:15 GMT

You are already there, just set it as an alert with "Number of Results is greater than 0":

index="_internal" AND sourcetype="splunkd_access" AND Http
| rex "HTTP\/\S+\"\s+(?<responseHttp>\d\d\d)\s+"
| eval result=if(like(responseHttp, "200"), "Success", "error")
| stats count(eval(result="Success")) AS Total_Success, count(responseHttp) AS Total
| eval Success_Count=(Total_Success/Total)*100.0
| stats avg(Success_Count) AS SuccessRate
| where SuccessRate<40
| eval message="SuccessRate is low, please take action."