https://community.splunk.com/t5/Alerting/Alert-based-on-sum-time/m-p/37121#M413 <P>Hi,</P> <P>I have a query for 1 hour as:</P> <P>"Search String" sourcetype="XX" source="XX" | stats sum(time) by host</P> <P>I have 2 hosts and i see</P> <P>host1 28.7<BR /> host2 45.9</P> <P>I need to set an alert if any of these host values reach 100. Any pointers?</P> Thu, 16 Aug 2012 16:11:34 GMT aniketb 2012-08-16T16:11:34Z https://community.splunk.com/t5/Alerting/Alert-based-on-sum-time/m-p/37121#M413 <P>Hi,</P> <P>I have a query for 1 hour as:</P> <P>"Search String" sourcetype="XX" source="XX" | stats sum(time) by host</P> <P>I have 2 hosts and i see</P> <P>host1 28.7<BR /> host2 45.9</P> <P>I need to set an alert if any of these host values reach 100. Any pointers?</P> Thu, 16 Aug 2012 16:11:34 GMT https://community.splunk.com/t5/Alerting/Alert-based-on-sum-time/m-p/37121#M413 aniketb 2012-08-16T16:11:34Z https://community.splunk.com/t5/Alerting/Alert-based-on-sum-time/m-p/37122#M414 <P>You can use where to filter the results</P> <PRE><CODE>"Search String" sourcetype="XX" source="XX" | stats sum(time) as duration by host | where duration &gt;= 100 </CODE></PRE> <P>Or if you wan to keep the smaller results you can set a custom condition in the alert settingss to be </P> <PRE><CODE>where duration &gt;= 100 </CODE></PRE> Thu, 16 Aug 2012 16:35:56 GMT https://community.splunk.com/t5/Alerting/Alert-based-on-sum-time/m-p/37122#M414 BobM 2012-08-16T16:35:56Z https://community.splunk.com/t5/Alerting/Alert-based-on-sum-time/m-p/37123#M415 <P>Thanks BobM!</P> Thu, 16 Aug 2012 17:27:15 GMT https://community.splunk.com/t5/Alerting/Alert-based-on-sum-time/m-p/37123#M415 aniketb 2012-08-16T17:27:15Z