topic Re: How can i add alert to my search query using trigger condition alert in Alerting

How can i add alert to my search query using trigger condition alert

neilfajardo15 — Tue, 05 Oct 2021 10:01:16 GMT

Hi, Im setting up an alert for data flow the alert build is when the application is not running it will send us an alert and i use trigger condition in the alert.
here is the search query
| eval value1=if(like(sample, "value1"), 1,0), value2=if(like(sample, "value2"), 1,0), value3=if(like(sample, "value3"), 1,0)
| stats sum(value1) as VALUE1, sum(value2) as VALUE2, sum(value3) as VALUE3
| table VALUE1, VALUE2, VALUE3

and for the alert condition i use this command
search VALUE1 = 0

"0" because in the sum it indicates that the 0 means data is not flowing in splunk meaning the application is down

Thanks in advance

Re: How can i add alert to my search query using trigger condition alert

ITWhisperer — Tue, 05 Oct 2021 10:13:09 GMT

You might want to use

| where VALUE1=0

then you can alert on whether there are any results or not

Re: How can i add alert to my search query using trigger condition alert

neilfajardo15 — Tue, 05 Oct 2021 10:55:16 GMT

Hi thanks for the answer, but im still not able to receive alerts 😞 im using email alerts

Re: How can i add alert to my search query using trigger condition alert

ITWhisperer — Tue, 05 Oct 2021 11:40:14 GMT

How have you set up your alerts?

Re: How can i add alert to my search query using trigger condition alert

neilfajardo15 — Tue, 05 Oct 2021 11:44:26 GMT

I use this and it is realtime

Re: How can i add alert to my search query using trigger condition alert

neilfajardo15 — Tue, 05 Oct 2021 11:59:31 GMT

here is my original query
| eval amd-eu1=if(like(namespace, "amd-eu1"), 1,0),
amd-eu2=if(like(namespace, "amd-eu2"), 1,0), amd-eu3=if(like(namespace, "amd-eu3"), 1,0), amd-eu4=if(like(namespace, "amd-eu4"), 1,0),
amd-eu5=if(like(namespace, "amd-eu5"), 1,0), amd-ap1=if(like(namespace, "amd-ap1"), 1,0), amd-am1=if(like(namespace, "amd-am1"), 1,0)
| stats sum(amd-eu1) as AMD_EU1, sum(amd-eu2) as AMD_EU2, sum(amd-eu3) as AMD_EU3, sum(amd-eu4) as AMD_EU4, sum(amd-eu5) as AMD_EU5, sum(amd-ap1) as AMD_AP1, sum(amd-am1) as AMD_AM1

i have remove the table

Re: How can i add alert to my search query using trigger condition alert

ITWhisperer — Tue, 05 Oct 2021 12:13:05 GMT

Rather than custom, can you use number of results returned by the search?

Re: How can i add alert to my search query using trigger condition alert

neilfajardo15 — Tue, 05 Oct 2021 12:43:46 GMT

But due to the stats sum and the value inside it a table will be created then it will be a result for the search

Re: How can i add alert to my search query using trigger condition alert

ITWhisperer — Tue, 05 Oct 2021 12:53:19 GMT

Put the where as part of your search rather than the custom condition on the alert

Re: How can i add alert to my search query using trigger condition alert

neilfajardo15 — Wed, 06 Oct 2021 06:08:22 GMT

Hi, Sorry for the late reply the alert works but it was spamming a lot of mail and also even though the data is flowing it is still alerting