https://community.splunk.com/t5/Getting-Data-In/Monitor-alerts-alarm-if-alerts-do-not-work/m-p/471892#M81092 <P>Hello together,</P> <P>i want to monitor existing alerts in splunk. For the case that an alarm doesn't work proper and doesn't find anything I want to get a notice or an alarm for that.</P> <P>I do not know how to do this far.</P> <P>Is there something in the internal index where splunk logs its alarms? Any suggestions?</P> <P>Thanks in advance. </P> Thu, 05 Sep 2019 06:26:20 GMT igschloessl 2019-09-05T06:26:20Z https://community.splunk.com/t5/Getting-Data-In/Monitor-alerts-alarm-if-alerts-do-not-work/m-p/471892#M81092 <P>Hello together,</P> <P>i want to monitor existing alerts in splunk. For the case that an alarm doesn't work proper and doesn't find anything I want to get a notice or an alarm for that.</P> <P>I do not know how to do this far.</P> <P>Is there something in the internal index where splunk logs its alarms? Any suggestions?</P> <P>Thanks in advance. </P> Thu, 05 Sep 2019 06:26:20 GMT https://community.splunk.com/t5/Getting-Data-In/Monitor-alerts-alarm-if-alerts-do-not-work/m-p/471892#M81092 igschloessl 2019-09-05T06:26:20Z https://community.splunk.com/t5/Getting-Data-In/Monitor-alerts-alarm-if-alerts-do-not-work/m-p/471893#M81093 <P>As a starting point have a look at <CODE>index=_internal sourcetype=scheduler</CODE> this will give you all scheduled search logs like, when it started, when its completed, eventcount, resultcount, timetaken etc.</P> Thu, 05 Sep 2019 08:24:59 GMT https://community.splunk.com/t5/Getting-Data-In/Monitor-alerts-alarm-if-alerts-do-not-work/m-p/471893#M81093 harsmarvania57 2019-09-05T08:24:59Z https://community.splunk.com/t5/Getting-Data-In/Monitor-alerts-alarm-if-alerts-do-not-work/m-p/471894#M81094 <P>Thank you. I tried to do a summary with appendcols</P> <P>index=_internal sourcetype=scheduler earliest=-7d@d latest=-0d@d <BR /> | eval period="-7d"<BR /> | stats count min(result_count) as min_result_count max(result_count) as max_result_count avg(result_count) as avg_result_count by savedsearch_name app period<BR /> | eval avg_result_count= round(avg_result_count,2)<BR /> | table savedsearch_name app period min_result_count max_result_count avg_result_count count</P> <P>| appendcols [search index=_internal sourcetype=scheduler earliest=-14d@d latest=-7@d<BR /> | eval period= "-14d"<BR /> | stats count min(result_count) as min_result_count max(result_count) as max_result_count avg(result_count) as avg_result_count by savedsearch_name app period<BR /> | eval avg_result_count= round(avg_result_count,2)<BR /> | table savedsearch_name app period min_result_count max_result_count avg_result_count count<BR /> ]<BR /> | appendcols [search index=_internal sourcetype=scheduler earliest=-21d@d latest=-14@d<BR /> | eval period= "-21d"<BR /> | stats count min(result_count) as min_result_count max(result_count) as max_result_count avg(result_count) as avg_result_count by savedsearch_name app period<BR /> | eval avg_result_count= round(avg_result_count,2)<BR /> | table savedsearch_name app period min_result_count max_result_count avg_result_count count<BR /> ]<BR /> But this does not work. And I dont know how to alarm if the counts are highly different from the weeks before.</P> Wed, 30 Sep 2020 02:04:39 GMT https://community.splunk.com/t5/Getting-Data-In/Monitor-alerts-alarm-if-alerts-do-not-work/m-p/471894#M81094 igschloessl 2020-09-30T02:04:39Z