https://community.splunk.com/t5/Alerting/Alert-with-3-different-threshold-for-3-different-event-in-on/m-p/685652#M15964 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/247215">@cbiraris</a>&nbsp;,</P><P>I suppose that these three values are in a field (e.g. type), so you can run a search like the folowing:</P><LI-CODE lang="markup">index= abc sourcetype=xyz type IN ("warning", "Error", Critical) | stats values(eval(type="warning")) AS warning_count values(eval(type="Error")) AS Error_count values(eval(type="Critical")) AS Critical_count | where warning_count&gt;5 OR Error_count&gt;5 OR Critical_count&gt;5</LI-CODE><P>you can aso setup a different threshold for each type of message.</P><P>If you don't have the three values in a fied, you have to use a similar search:</P><LI-CODE lang="markup">index= abc sourcetype=xyz ("warning" OR "Error" OR Critical) | stats values(eval(searchmatch("warning"))) AS warning_count values(eval(searchmatch("Error"))) AS Error_count values(eval(searchmatch("Critical"))) AS Critical_count | where warning_count&gt;5 OR Error_count&gt;5 OR Critical_count&gt;5</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 26 Apr 2024 16:18:56 GMT gcusello 2024-04-26T16:18:56Z https://community.splunk.com/t5/Alerting/Alert-with-3-different-threshold-for-3-different-event-in-on/m-p/685646#M15960 <P>Hi team,<BR /><BR />I need help to create a query with&nbsp;with 3 different threshold for 3 different event in single splunk alert.<BR /><BR />for example :<BR /><BR />index= abc<BR />sourcetype=xyz<BR /><BR />"warning" OR "Error" OR Critical<BR /><BR />If any of these ("warning" OR "Error" OR Critical) occurred 5 times in events in last 15 minutes alert should be triggered .<BR /><BR /><BR />&nbsp;<BR /><BR /></P> Fri, 26 Apr 2024 15:58:31 GMT https://community.splunk.com/t5/Alerting/Alert-with-3-different-threshold-for-3-different-event-in-on/m-p/685646#M15960 cbiraris 2024-04-26T15:58:31Z https://community.splunk.com/t5/Alerting/Alert-with-3-different-threshold-for-3-different-event-in-on/m-p/685647#M15961 <P>Please clarify your requirement - do you want the alert to trigger if any of the values occurs 5 times e.g. 2 warnings, 2 errors and 1 critical, or only if any of them individually occur 5 times e.g. 5 warnings or 5 errors or 5 criticals?</P> Fri, 26 Apr 2024 16:02:15 GMT https://community.splunk.com/t5/Alerting/Alert-with-3-different-threshold-for-3-different-event-in-on/m-p/685647#M15961 ITWhisperer 2024-04-26T16:02:15Z https://community.splunk.com/t5/Alerting/Alert-with-3-different-threshold-for-3-different-event-in-on/m-p/685650#M15962 <P><SPAN>Yes, only if any of them individually occur 5 times e.g. 5 warnings or 5 errors or 5 criticals<BR /><BR /></SPAN></P><P>&nbsp;</P> Fri, 26 Apr 2024 16:16:36 GMT https://community.splunk.com/t5/Alerting/Alert-with-3-different-threshold-for-3-different-event-in-on/m-p/685650#M15962 cbiraris 2024-04-26T16:16:36Z https://community.splunk.com/t5/Alerting/Alert-with-3-different-threshold-for-3-different-event-in-on/m-p/685651#M15963 <P><SPAN>Yes, only if any of them individually occur 5 times e.g. 5 warnings or 5 errors or 5 criticals</SPAN></P> Fri, 26 Apr 2024 16:17:03 GMT https://community.splunk.com/t5/Alerting/Alert-with-3-different-threshold-for-3-different-event-in-on/m-p/685651#M15963 cbiraris 2024-04-26T16:17:03Z https://community.splunk.com/t5/Alerting/Alert-with-3-different-threshold-for-3-different-event-in-on/m-p/685652#M15964 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/247215">@cbiraris</a>&nbsp;,</P><P>I suppose that these three values are in a field (e.g. type), so you can run a search like the folowing:</P><LI-CODE lang="markup">index= abc sourcetype=xyz type IN ("warning", "Error", Critical) | stats values(eval(type="warning")) AS warning_count values(eval(type="Error")) AS Error_count values(eval(type="Critical")) AS Critical_count | where warning_count&gt;5 OR Error_count&gt;5 OR Critical_count&gt;5</LI-CODE><P>you can aso setup a different threshold for each type of message.</P><P>If you don't have the three values in a fied, you have to use a similar search:</P><LI-CODE lang="markup">index= abc sourcetype=xyz ("warning" OR "Error" OR Critical) | stats values(eval(searchmatch("warning"))) AS warning_count values(eval(searchmatch("Error"))) AS Error_count values(eval(searchmatch("Critical"))) AS Critical_count | where warning_count&gt;5 OR Error_count&gt;5 OR Critical_count&gt;5</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 26 Apr 2024 16:18:56 GMT https://community.splunk.com/t5/Alerting/Alert-with-3-different-threshold-for-3-different-event-in-on/m-p/685652#M15964 gcusello 2024-04-26T16:18:56Z https://community.splunk.com/t5/Alerting/Alert-with-3-different-threshold-for-3-different-event-in-on/m-p/685654#M15965 <P>Thank you this one working for me <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P> Fri, 26 Apr 2024 16:25:56 GMT https://community.splunk.com/t5/Alerting/Alert-with-3-different-threshold-for-3-different-event-in-on/m-p/685654#M15965 cbiraris 2024-04-26T16:25:56Z