https://community.splunk.com/t5/Alerting/How-to-create-an-email-alert-when-the-error-count-on-a-server-is/m-p/268602#M4928 <P>Have your search look back 15 minutes and in spot labeled "Trigger alert when", use the "Custom" action and add :</P> <PRE><CODE>search count&gt;10 </CODE></PRE> <P>If, on the other hand, you want to look back 24 hours and get a count for every 15 minutes, try</P> <PRE><CODE>your base search | bin _time span=15m | stats count BY _time Machine | search count&gt;10 </CODE></PRE> <P>In addition, there's no need to <CODE>dedup Machine</CODE> when you use <CODE>stats count BY Machine</CODE></P> Fri, 21 Oct 2016 21:49:41 GMT Yorokobi 2016-10-21T21:49:41Z https://community.splunk.com/t5/Alerting/How-to-create-an-email-alert-when-the-error-count-on-a-server-is/m-p/268601#M4927 <P>Hi,</P> <P>I have this simple search to find out some errors in the logs:</P> <PRE><CODE>index=cohl source=msmq earliest=-24h@h latest=now "System.Data.SqlClient.SqlException: Timeout expired*" "Servername*" | xmlkv | dedup Machine | stats count by Machine </CODE></PRE> <P>As a result of this search, I get a table which has one row listing of all the servers and another row listing the count, this count is the number of occurrences of the keyword.</P> <P>I need to create an alert to send email if, in 15 minutes, the count on any of the servers is more than 10. Any idea on how to do it??</P> Fri, 21 Oct 2016 21:13:51 GMT https://community.splunk.com/t5/Alerting/How-to-create-an-email-alert-when-the-error-count-on-a-server-is/m-p/268601#M4927 macadminrohit 2016-10-21T21:13:51Z https://community.splunk.com/t5/Alerting/How-to-create-an-email-alert-when-the-error-count-on-a-server-is/m-p/268602#M4928 <P>Have your search look back 15 minutes and in spot labeled "Trigger alert when", use the "Custom" action and add :</P> <PRE><CODE>search count&gt;10 </CODE></PRE> <P>If, on the other hand, you want to look back 24 hours and get a count for every 15 minutes, try</P> <PRE><CODE>your base search | bin _time span=15m | stats count BY _time Machine | search count&gt;10 </CODE></PRE> <P>In addition, there's no need to <CODE>dedup Machine</CODE> when you use <CODE>stats count BY Machine</CODE></P> Fri, 21 Oct 2016 21:49:41 GMT https://community.splunk.com/t5/Alerting/How-to-create-an-email-alert-when-the-error-count-on-a-server-is/m-p/268602#M4928 Yorokobi 2016-10-21T21:49:41Z https://community.splunk.com/t5/Alerting/How-to-create-an-email-alert-when-the-error-count-on-a-server-is/m-p/268603#M4929 <P>I can do that, but my requirement is little bit different.</P> <P>As I mentioned in my question, each server will have certain number of events and the result of my query will give the list of servers, I want to send an alert when on any of the server the number of occurrences of events is more than 10.</P> Mon, 24 Oct 2016 14:59:06 GMT https://community.splunk.com/t5/Alerting/How-to-create-an-email-alert-when-the-error-count-on-a-server-is/m-p/268603#M4929 macadminrohit 2016-10-24T14:59:06Z https://community.splunk.com/t5/Alerting/How-to-create-an-email-alert-when-the-error-count-on-a-server-is/m-p/268604#M4930 <P>If that's the case, then the first part of my answer is what you want.</P> Mon, 24 Oct 2016 15:34:10 GMT https://community.splunk.com/t5/Alerting/How-to-create-an-email-alert-when-the-error-count-on-a-server-is/m-p/268604#M4930 Yorokobi 2016-10-24T15:34:10Z