<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: custom alert condition for alert in Alerting</title>
    <link>https://community.splunk.com/t5/Alerting/custom-alert-condition-for-alert/m-p/38299#M428</link>
    <description>&lt;P&gt;You want to use the "if number events" condition, not custom condition, and then put a 0 in the box.&lt;/P&gt;</description>
    <pubDate>Fri, 17 May 2013 19:12:47 GMT</pubDate>
    <dc:creator>alacercogitatus</dc:creator>
    <dc:date>2013-05-17T19:12:47Z</dc:date>
    <item>
      <title>custom alert condition for alert</title>
      <link>https://community.splunk.com/t5/Alerting/custom-alert-condition-for-alert/m-p/38296#M425</link>
      <description>&lt;P&gt;Can someone help me with this, i am pretty new to splunk and getting stuck with a custom alert condition. This is the search which i am using.&lt;/P&gt;

&lt;P&gt;index=coreops sourcetype="sitescope_runmonitor" "ERROR - skipped #5" | top host by remoteHost | rename host AS SiS_Manager&lt;/P&gt;

&lt;P&gt;gives me following result,&lt;/P&gt;

&lt;P&gt;remoteHost               SiS_Manager              Count    percent&lt;BR /&gt;
eiman122vwin             ei0760vwin                 1      100.00000&lt;/P&gt;

&lt;P&gt;I want to use trigger if custom conditions to match the value in count column and alert if any value is found higher thatn 5. I tried to use count&amp;gt;5 but that doesnt work. Any help would be really appreciated.&lt;/P&gt;

&lt;P&gt;Anoop&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 13:55:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/custom-alert-condition-for-alert/m-p/38296#M425</guid>
      <dc:creator>anoopambli</dc:creator>
      <dc:date>2020-09-28T13:55:56Z</dc:date>
    </item>
    <item>
      <title>Re: custom alert condition for alert</title>
      <link>https://community.splunk.com/t5/Alerting/custom-alert-condition-for-alert/m-p/38297#M426</link>
      <description>&lt;P&gt;You could setup your search as such:&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;index=coreops sourcetype="sitescope_runmonitor" "ERROR - skipped #5" | top host by remoteHost | rename host AS SiS_Manager | where count &amp;gt; 4&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;and then in your alert, set the condition to "if number events &amp;gt; 0"&lt;/P&gt;</description>
      <pubDate>Fri, 17 May 2013 14:20:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/custom-alert-condition-for-alert/m-p/38297#M426</guid>
      <dc:creator>alacercogitatus</dc:creator>
      <dc:date>2013-05-17T14:20:15Z</dc:date>
    </item>
    <item>
      <title>Re: custom alert condition for alert</title>
      <link>https://community.splunk.com/t5/Alerting/custom-alert-condition-for-alert/m-p/38298#M427</link>
      <description>&lt;P&gt;Not sure if iam trying anything wrong in the custom condition, but getting this error message,&lt;/P&gt;

&lt;P&gt;Cannot parse alert condition. Error in 'SearchParser': Missing a search command before '"'. &lt;/P&gt;

&lt;P&gt;I am getting this error on Create alert, trigger if custom condition.&lt;/P&gt;</description>
      <pubDate>Fri, 17 May 2013 16:34:23 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/custom-alert-condition-for-alert/m-p/38298#M427</guid>
      <dc:creator>anoopambli</dc:creator>
      <dc:date>2013-05-17T16:34:23Z</dc:date>
    </item>
    <item>
      <title>Re: custom alert condition for alert</title>
      <link>https://community.splunk.com/t5/Alerting/custom-alert-condition-for-alert/m-p/38299#M428</link>
      <description>&lt;P&gt;You want to use the "if number events" condition, not custom condition, and then put a 0 in the box.&lt;/P&gt;</description>
      <pubDate>Fri, 17 May 2013 19:12:47 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/custom-alert-condition-for-alert/m-p/38299#M428</guid>
      <dc:creator>alacercogitatus</dc:creator>
      <dc:date>2013-05-17T19:12:47Z</dc:date>
    </item>
    <item>
      <title>Re: custom alert condition for alert</title>
      <link>https://community.splunk.com/t5/Alerting/custom-alert-condition-for-alert/m-p/675189#M15709</link>
      <description>&lt;P&gt;I was facing the same issue, I used the following condition and is working fine&amp;nbsp;&lt;/P&gt;&lt;P&gt;search result_of_search &amp;gt; 10&lt;/P&gt;</description>
      <pubDate>Tue, 23 Jan 2024 15:02:46 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Alerting/custom-alert-condition-for-alert/m-p/675189#M15709</guid>
      <dc:creator>eroncampello</dc:creator>
      <dc:date>2024-01-23T15:02:46Z</dc:date>
    </item>
  </channel>
</rss>

