https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302276#M5433 <P>I think you'd be best served using a lookup table to define the limits, then filtering those where the count is greater than the limit with <CODE>where</CODE>. Example configuration below.</P> <P>agent_limits.csv:</P> <PRE><CODE>agent,limit nfc*,700 mm_write,5000 breeze,1500 megafon_bitmap,1000 bankm_cashback,5000 *,7000 </CODE></PRE> <P>transforms.conf:</P> <PRE><CODE>[agent_limits] filename = agent_limits.csv match_type = WILDCARD(agent) max_matches = 1 </CODE></PRE> <P>Run anywhere search demonstrating functionality:</P> <PRE><CODE>| makeresults | eval agent="nfc1", count=650 | append [| makeresults | eval agent="nfc2", count=750] | append [| makeresults | eval agent="breeze", count=5001] | lookup agent_limits agent OUTPUT limit | where count&gt;=limit </CODE></PRE> <P>The key components are <CODE>match_type = WILDCARD(agent)</CODE> in transforms.conf and <CODE>*,7000</CODE>. The former tells Splunk that it should treat <CODE>*</CODE> in a lookup file as a wildcard and thus allow partial matches. The latter is a default limit, applied when no other agent matched. That default lookup needs to be last in the lookup file.</P> Thu, 11 Jan 2018 14:55:32 GMT micahkemp 2018-01-11T14:55:32Z https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302274#M5431 <P>I need to be alerted that the agent is exceeding its specified limit, and if the agent limit is not set, then the base limit triggered</P> <P>To atchive that I have created such search string for alert</P> <BLOCKQUOTE> <PRE><CODE>index=api | stats count as c by agent | search (agent=nfc* c&gt;700) OR (agent=mm_write c&gt;5000) OR (agent=breeze c&gt;1500) OR (agent=megafon_bitmap c &gt; 1000) OR (agent=bankm_cashback с&gt;5000) OR (agent!=breeze agent!=nfc* agent!=mm_write agent!=bankm_cashback agent!=megafon_bitmap c&gt;700) </CODE></PRE> </BLOCKQUOTE> <P>But it looks too cumbersome</P> <P>Is there better way to do this?<BR /> I would like to maintain some kind of table of agents limits. </P> Thu, 11 Jan 2018 14:00:51 GMT https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302274#M5431 exmuzzy 2018-01-11T14:00:51Z https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302275#M5432 <P>perhaps you can try something like this<BR /> its the same just took like terms together</P> <PRE><CODE> index=api | stats count as c by agent | search (((agent!=breeze agent!=nfc* agent!=mm_write agent!=bankm_cashback agent!=megafon_bitmap) OR agent=nfc*) c&gt;700) OR ((agent=mm_write OR agent=bankm_cashback) c&gt;5000) OR (agent=breeze c&gt;1500) OR (agent=megafon_bitmap c&gt;1000) </CODE></PRE> <P>let me know if this helps!</P> Thu, 11 Jan 2018 14:17:09 GMT https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302275#M5432 mayurr98 2018-01-11T14:17:09Z https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302276#M5433 <P>I think you'd be best served using a lookup table to define the limits, then filtering those where the count is greater than the limit with <CODE>where</CODE>. Example configuration below.</P> <P>agent_limits.csv:</P> <PRE><CODE>agent,limit nfc*,700 mm_write,5000 breeze,1500 megafon_bitmap,1000 bankm_cashback,5000 *,7000 </CODE></PRE> <P>transforms.conf:</P> <PRE><CODE>[agent_limits] filename = agent_limits.csv match_type = WILDCARD(agent) max_matches = 1 </CODE></PRE> <P>Run anywhere search demonstrating functionality:</P> <PRE><CODE>| makeresults | eval agent="nfc1", count=650 | append [| makeresults | eval agent="nfc2", count=750] | append [| makeresults | eval agent="breeze", count=5001] | lookup agent_limits agent OUTPUT limit | where count&gt;=limit </CODE></PRE> <P>The key components are <CODE>match_type = WILDCARD(agent)</CODE> in transforms.conf and <CODE>*,7000</CODE>. The former tells Splunk that it should treat <CODE>*</CODE> in a lookup file as a wildcard and thus allow partial matches. The latter is a default limit, applied when no other agent matched. That default lookup needs to be last in the lookup file.</P> Thu, 11 Jan 2018 14:55:32 GMT https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302276#M5433 micahkemp 2018-01-11T14:55:32Z https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302277#M5434 <P>Is there a way to create agent_limits.csv from the splunk web?</P> Thu, 11 Jan 2018 15:58:26 GMT https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302277#M5434 exmuzzy 2018-01-11T15:58:26Z https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302278#M5435 <P>You can add lookups via Splunk Web, but you can't add the transforms I suggested via Web. Is this in Splunk Cloud, where there is no CLI access?</P> Thu, 11 Jan 2018 16:04:51 GMT https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302278#M5435 micahkemp 2018-01-11T16:04:51Z https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302279#M5436 <P>It works perfectly! Many thanks!</P> Fri, 12 Jan 2018 06:36:23 GMT https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302279#M5436 exmuzzy 2018-01-12T06:36:23Z https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302280#M5437 <P>2micahkemp: can you hint me how to calculate limits for agents based on their regular activity?<BR /> I mean, how to generate agent_limits.csv based on previous events automativcaly not manualy?</P> Fri, 12 Jan 2018 17:25:24 GMT https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302280#M5437 exmuzzy 2018-01-12T17:25:24Z https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302281#M5438 <P>You can use <CODE>| outputlookup</CODE> to write search results to a lookup file, which would allow you to create it programmatically. My sample lookup file could have been produced by this search:</P> <PRE><CODE>| makeresults | eval agent="nfc*", limit=700 | append [| makeresults | eval agent="mm_write", limit=5000] | append [| makeresults | eval agent="breeze", limit=1500] | append [| makeresults | eval agent="megafon_bitmap", limit=1000] | append [| makeresults | eval agent="bankm_cashback", limit=5000] | append [| makeresults | eval agent="*", limit=7000] | fields - _time | outputlookup agent_limits.csv </CODE></PRE> <P>But the logic that determines what those limits should be based on your data, I don't know how to help you there.</P> Fri, 12 Jan 2018 17:50:14 GMT https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302281#M5438 micahkemp 2018-01-12T17:50:14Z https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302282#M5439 <P>Thanks a lot!<BR /> I've created another question on this topic<BR /> <A href="https://answers.splunk.com/answers/611366/how-to-calculate-limits-for-agents-based-on-their.html">https://answers.splunk.com/answers/611366/how-to-calculate-limits-for-agents-based-on-their.html</A></P> Fri, 12 Jan 2018 20:13:41 GMT https://community.splunk.com/t5/Alerting/How-to-create-alert-with-customized-limits-for-many-agents/m-p/302282#M5439 exmuzzy 2018-01-12T20:13:41Z