topic Re: How to set up a scheduled alert to send an email if I do not get a response or acknowledgement for a particular ID? in Alerting https://community.splunk.com/t5/Alerting/How-to-set-up-a-scheduled-alert-to-send-an-email-if-I-do-not-get/m-p/227282#M4168 <P>Hi prashanthberam,<BR /> you should create a lookup with your student IDs (e.g.: StudentID.csv) and then run a search like this:</P> <PRE><CODE>| inputlookup StudentID.csv | eval count=0, StudentID=lower(StudentID) | append [ search index=yourindex | StudentID=lower(StudentID) | stats count by StudentID ] | stats sum(count) AS Total BY StudentID | where Total=0 </CODE></PRE> <P>In this way you have all the StudentsID that aren't present in search results.<BR /> Bye.<BR /> Giuseppe</P> Mon, 14 Nov 2016 09:00:35 GMT gcusello 2016-11-14T09:00:35Z How to set up a scheduled alert to send an email if I do not get a response or acknowledgement for a particular ID? https://community.splunk.com/t5/Alerting/How-to-set-up-a-scheduled-alert-to-send-an-email-if-I-do-not-get/m-p/227278#M4164 <P>Hi,</P> <P>I have data like this:</P> <P>student id request type<BR /><BR /> 13030 ack<BR /> 13030 response <BR /> 13030 request<BR /> 14040 request<BR /> 14040 response<BR /> 14040 ack</P> <P>So I need to schedule a search to run every 15 minutes, and send an email alert when I do not get any response or acknowledgement for a particular student id, including the student and their multiple requests and responses. </P> Sun, 13 Nov 2016 07:40:54 GMT https://community.splunk.com/t5/Alerting/How-to-set-up-a-scheduled-alert-to-send-an-email-if-I-do-not-get/m-p/227278#M4164 prashanthberam 2016-11-13T07:40:54Z Re: How to set up a scheduled alert to send an email if I do not get a response or acknowledgement for a particular ID? https://community.splunk.com/t5/Alerting/How-to-set-up-a-scheduled-alert-to-send-an-email-if-I-do-not-get/m-p/227279#M4165 <P>Assuming your data has student_id and request_type fields.</P> <PRE><CODE>your search query | stats count as RequestCount values(request_type) as RequestTypes by student_id | search RequestCount&gt;=1 AND NOT (RequestTypes="response" OR RequestTypes="ack") </CODE></PRE> <P>Setup Alert with<BR /> 1) Alert Type &gt; Scheduled "Run on Cron Schedule" and for running every 15 minutes (For example following is only for weekdays): <CODE>*/15 * * * 1-5</CODE><BR /> 2) Trigger Condition &gt; Trigger Alert when "Number of Results" "is greater than" 0</P> Tue, 29 Sep 2020 11:44:55 GMT https://community.splunk.com/t5/Alerting/How-to-set-up-a-scheduled-alert-to-send-an-email-if-I-do-not-get/m-p/227279#M4165 niketn 2020-09-29T11:44:55Z Re: How to set up a scheduled alert to send an email if I do not get a response or acknowledgement for a particular ID? https://community.splunk.com/t5/Alerting/How-to-set-up-a-scheduled-alert-to-send-an-email-if-I-do-not-get/m-p/227280#M4166 <P>am getting every studentnames and their requesttypes and their count but i need who are doesn't have the "ACK" "RESPONSE" i need those information....</P> Sun, 13 Nov 2016 15:26:31 GMT https://community.splunk.com/t5/Alerting/How-to-set-up-a-scheduled-alert-to-send-an-email-if-I-do-not-get/m-p/227280#M4166 prashanthberam 2016-11-13T15:26:31Z Re: How to set up a scheduled alert to send an email if I do not get a response or acknowledgement for a particular ID? https://community.splunk.com/t5/Alerting/How-to-set-up-a-scheduled-alert-to-send-an-email-if-I-do-not-get/m-p/227281#M4167 <P>Can you validate the fields in search are correct? I tested with following data (14041 has only request and no ack and response). The query worked for me. Please play around with final search conditions requestCount and requestTypes (If you are getting count, then requestCount=1 alone without requestType condition, on high level should give you only requests).</P> <P>2016-10-29 13:24:43.310 student_id=13030 request_type=ack<BR /> 2016-10-29 13:25:43.310 student_id=13030 request_type=response <BR /> 2016-10-29 13:26:43.310 student_id=13030 request_type=request<BR /> 2016-10-29 13:27:43.310 student_id=14040 request_type=request<BR /> 2016-10-29 13:28:43.310 student_id=14040 request_type=response<BR /> 2016-10-29 13:29:43.310 student_id=14040 request_type=ack<BR /> 2016-10-29 13:27:43.310 student_id=14041 request_type=request</P> <PRE><CODE>index=main sourcetype="splunk_answers_475441" | stats count as RequestCount values(request_type) as RequestTypes by student_id | search RequestCount&gt;=1 AND NOT (RequestTypes="response" OR RequestTypes="ack") </CODE></PRE> Tue, 29 Sep 2020 11:48:26 GMT https://community.splunk.com/t5/Alerting/How-to-set-up-a-scheduled-alert-to-send-an-email-if-I-do-not-get/m-p/227281#M4167 niketn 2020-09-29T11:48:26Z Re: How to set up a scheduled alert to send an email if I do not get a response or acknowledgement for a particular ID? https://community.splunk.com/t5/Alerting/How-to-set-up-a-scheduled-alert-to-send-an-email-if-I-do-not-get/m-p/227282#M4168 <P>Hi prashanthberam,<BR /> you should create a lookup with your student IDs (e.g.: StudentID.csv) and then run a search like this:</P> <PRE><CODE>| inputlookup StudentID.csv | eval count=0, StudentID=lower(StudentID) | append [ search index=yourindex | StudentID=lower(StudentID) | stats count by StudentID ] | stats sum(count) AS Total BY StudentID | where Total=0 </CODE></PRE> <P>In this way you have all the StudentsID that aren't present in search results.<BR /> Bye.<BR /> Giuseppe</P> Mon, 14 Nov 2016 09:00:35 GMT https://community.splunk.com/t5/Alerting/How-to-set-up-a-scheduled-alert-to-send-an-email-if-I-do-not-get/m-p/227282#M4168 gcusello 2016-11-14T09:00:35Z