https://community.splunk.com/t5/Alerting/Why-is-Splunk-not-allowing-me-to-specify-the-trigger-condition/m-p/214938#M3832 <P>Try providing the condition as <CODE>search Threads &gt; 1600</CODE> in the condition box.<BR /> Another way to do is including the condition in the search itself and alert when <CODE>Number of Results</CODE>is greater than '0'</P> <P>ie</P> <PRE><CODE>index=perfmon host=CCEVPSYCA01 sourcetype="Perfmon:System" counter=Threads| eval Date=strftime(_time, "%Y-%m-%d %H:%M") | rename Value AS Threads | table Date, Threads | SORT BY Date|search Threads &gt; 1600 </CODE></PRE> <P>and then selecting the drop down <CODE>Number of Results is greater than 0</CODE></P> Tue, 21 Jun 2016 10:06:45 GMT renjith_nair 2016-06-21T10:06:45Z https://community.splunk.com/t5/Alerting/Why-is-Splunk-not-allowing-me-to-specify-the-trigger-condition/m-p/214937#M3831 <P>Hi, </P> <P>I am using the following search for monitoring number of Threads on a server:</P> <PRE><CODE>index=perfmon host=CCEVPSYCA01 sourcetype="Perfmon:System" counter=Threads| eval Date=strftime(_time, "%Y-%m-%d %H:%M") | rename Value AS Threads | table Date, Threads | SORT BY Date </CODE></PRE> <P>and I want to set up an alert to be triggered when conditions are met (custom alert): Threads &gt; 1600. But Splunk does not allow me to specify this condition in the alert "threads &gt; 1600".</P> <P>Could you please help me in resolving this? Thanks,</P> Tue, 21 Jun 2016 09:11:32 GMT https://community.splunk.com/t5/Alerting/Why-is-Splunk-not-allowing-me-to-specify-the-trigger-condition/m-p/214937#M3831 B83896 2016-06-21T09:11:32Z https://community.splunk.com/t5/Alerting/Why-is-Splunk-not-allowing-me-to-specify-the-trigger-condition/m-p/214938#M3832 <P>Try providing the condition as <CODE>search Threads &gt; 1600</CODE> in the condition box.<BR /> Another way to do is including the condition in the search itself and alert when <CODE>Number of Results</CODE>is greater than '0'</P> <P>ie</P> <PRE><CODE>index=perfmon host=CCEVPSYCA01 sourcetype="Perfmon:System" counter=Threads| eval Date=strftime(_time, "%Y-%m-%d %H:%M") | rename Value AS Threads | table Date, Threads | SORT BY Date|search Threads &gt; 1600 </CODE></PRE> <P>and then selecting the drop down <CODE>Number of Results is greater than 0</CODE></P> Tue, 21 Jun 2016 10:06:45 GMT https://community.splunk.com/t5/Alerting/Why-is-Splunk-not-allowing-me-to-specify-the-trigger-condition/m-p/214938#M3832 renjith_nair 2016-06-21T10:06:45Z https://community.splunk.com/t5/Alerting/Why-is-Splunk-not-allowing-me-to-specify-the-trigger-condition/m-p/214939#M3833 <P>Hello,<BR /> Great! Thanks - first option worked for me!</P> Tue, 21 Jun 2016 12:27:36 GMT https://community.splunk.com/t5/Alerting/Why-is-Splunk-not-allowing-me-to-specify-the-trigger-condition/m-p/214939#M3833 B83896 2016-06-21T12:27:36Z https://community.splunk.com/t5/Alerting/Why-is-Splunk-not-allowing-me-to-specify-the-trigger-condition/m-p/214940#M3834 <P>Good to know. Please accept as answer so that the thread will be closed</P> Tue, 21 Jun 2016 14:11:59 GMT https://community.splunk.com/t5/Alerting/Why-is-Splunk-not-allowing-me-to-specify-the-trigger-condition/m-p/214940#M3834 renjith_nair 2016-06-21T14:11:59Z https://community.splunk.com/t5/Alerting/Why-is-Splunk-not-allowing-me-to-specify-the-trigger-condition/m-p/214941#M3835 <P>Done, thank you!</P> Tue, 21 Jun 2016 14:22:15 GMT https://community.splunk.com/t5/Alerting/Why-is-Splunk-not-allowing-me-to-specify-the-trigger-condition/m-p/214941#M3835 B83896 2016-06-21T14:22:15Z