topic Re: creating alerts in Alerting

creating alerts

bellaed — Wed, 16 Jan 2013 09:07:45 GMT

newbie to splunk
Can i create an alert displaying on the splunk app,that looks like "indexing volume exceeded" alert from splunk. i am not using real-time dashboards. when i am uploading a file containing some unexpected termination , can i create an alert to the user like "Unexpected termination found in the file."
Basic Perl script like this will work or do i have to continue exploring splunk Perl script.
#!/splunk/bin/scripts

       if($termination eq "UNEXPECTED") {
         print "UNEXPECTED TERMINATION FOUND IN FILE!!!!!! ";
       }

Hope this information explains my query.
Thank You
Bella

Re: creating alerts

DaveSavage — Wed, 16 Jan 2013 09:34:18 GMT

Bella,
Just to get this straight your file contains error warnings messages and you would like to see any such conditions in the Splunk banner warning message area?
If your data from the file is being indexed ok, and you write a simple search to run at time of your choice containing that message verbatim, you would get your result, but not as yet in the banner - but could via usual notifications. The search can be scheduled - it doesn't have to wait for you to kick it off from the GUI. Is that what you mean?
Br
D

Re: creating alerts

bellaed — Wed, 16 Jan 2013 10:01:47 GMT

'm not specific about banner area. it can be an alert box or a new window, something like that , but it should trigger when i am searching source="that log file"

Re: creating alerts

bellaed — Wed, 16 Jan 2013 10:30:21 GMT

Dave,
Is it possible to do this?

Re: creating alerts

DaveSavage — Wed, 16 Jan 2013 15:51:47 GMT

Yes it is...wait 1 and I'll find the resource links...

Re: creating alerts

DaveSavage — Wed, 16 Jan 2013 16:13:56 GMT

Bella, check out http://docs.splunk.com/Documentation/Splunk/latest/Search/Whatsinthismanual and http://docs.splunk.com/Documentation/Splunk/latest/Alert/Aboutalerts reference points. I'm looking for the link to David Carasso's Exploring Splunk which I would recommend, it's an excellent resource when you are finding your feet. If that doesn't completely meet your needs then post a question back. If a new question is different to the content above then post it as new, but obviously don't duplicate content - it gets confusing for those trying to help.
Good luck and welcome to this new world! 😉
D

Re: creating alerts

DaveSavage — Wed, 16 Jan 2013 16:31:15 GMT

Found it: http://www.splunk.com/goto/book
Btw, David C's work and recommendations are available at http://www.innovato.com/splunk/

Re: creating alerts

bellaed — Thu, 17 Jan 2013 10:51:31 GMT

Dave, I could see only email alerts and alerts on alert manager, how could i do exactly what i am in need of.

Re: creating alerts

DaveSavage — Thu, 17 Jan 2013 14:40:30 GMT

I see this Bella - how confident do you feel about building your first dashboard? The search part is easy. Given that this may not be the last item you need to know about, it would merit the learning curve. I'm just going to check out 2 other (already built) plug-ins which might do that for you.

Re: creating alerts

bellaed — Tue, 22 Jan 2013 11:41:04 GMT

i was in search of an app or plugin that can help me to do this 😞 .. all in vain i guess

Re: creating alerts

katesplunk — Wed, 23 Jan 2013 06:54:56 GMT

Wow Bella, Me too have the same requirement.. Did u find a way?

Re: creating alerts

bellaed — Mon, 11 Feb 2013 07:08:20 GMT

Can appending some scripts or Plugins do the job of creating an alert message in the dashboard itself?