topic Re: Alarm is not working in Alerting

Alarm is not working

hommesf — Tue, 29 Sep 2020 18:47:48 GMT

Hey,

I've set up an alarm for a search which is very easy:
index=radius radius_login_status="Login OK:"
This gives me quite many results.

Now I've set up the alarm with trigger alarm when the number of results is higher then 5.

The search is executed every 5 min. and the results are between 50 and 2000. But no alarm is fired!

I don't understand why 😕

Thanx
Frank

Re: Alarm is not working

skoelpin — Wed, 28 Mar 2018 13:41:12 GMT

Try setting your trigger in SPL rather than in the alert settings

index=radius radius_login_status="Login OK:"
| stats count
| where count>5

Re: Alarm is not working

hommesf — Wed, 28 Mar 2018 14:15:55 GMT

Still no alarm 😞

Re: Alarm is not working

skoelpin — Wed, 28 Mar 2018 15:16:02 GMT

How are you testing this? How is your alert setup? Are you looking for a count greater than 5 in a specific timespan? What timespan are you looking for?

This works on my end

| makeresults count=6
 | stats count
 | where count>5
 | eval alarm=if(count>5,"ALERT","")
 | fields alarm

Re: Alarm is not working

hommesf — Wed, 28 Mar 2018 15:23:33 GMT

The output of this will be ALERT of course.
But I'm trying to set up an alert for the results of a search.
I got around 1000 entries per 5 minutes and the cronjob is running every five minutes. I can check the job out and I will get 1000 results.
But there is no alert although I set the Trigger Conditions to number of results and then is greater than 10.

Re: Alarm is not working

skoelpin — Wed, 28 Mar 2018 15:26:52 GMT

Your not following the advice I'm giving you here..

You need to setup the alert in SPL then change your alert value to "custom" then fill in count for the value.

Re: Alarm is not working

hommesf — Tue, 29 Sep 2020 18:48:20 GMT

I probably don't unterstand.
So you mean in alert settings I should put in the following search:
index=radius radius_login_status="Login OK:"
| stats count
| where count>5

and then on alert value custom search count > 5
This is not working either.

Re: Alarm is not working

skoelpin — Wed, 28 Mar 2018 15:41:20 GMT

No. Select "custom" in your alert actions. Then the field below it will be empty. In that empty field, put count

Re: Alarm is not working

hommesf — Wed, 28 Mar 2018 15:43:52 GMT

I got the following error when saving:
"Cannot parse alert condition. Search Factory: Unknown search command 'count'."

Re: Alarm is not working

skoelpin — Wed, 28 Mar 2018 15:52:52 GMT

My bad, it should look like this

index=radius radius_login_status="Login OK:"
| stats count

Have that empty field under "custom" as search count>5

Re: Alarm is not working

hommesf — Wed, 28 Mar 2018 17:10:28 GMT

I had this for some time but didn't work
Tried it again but no alarm.

Re: Alarm is not working

skoelpin — Wed, 28 Mar 2018 17:16:37 GMT

Works on mine.. Not sure anyone will be able to help you with such little information

Re: Alarm is not working

hommesf — Wed, 28 Mar 2018 17:19:25 GMT

I'm willing to give more information but I don't know what more... Setting up an alarm should be quite easy there is not much you can do wrong... When I check the results I DO get like 1000 and when I set the trigger to fire when there are more then 10 results it's no rocket science...
I'm confused...

Re: Alarm is not working

skoelpin — Wed, 28 Mar 2018 17:22:04 GMT

It's very easy to setup alerts in Splunk.

My second comment from the top asks about the time range. If your timespan is not returning results than it will not alert. What is your timerange your searching over? Can you post pictures showing that timerange with no results being returned?

Re: Alarm is not working

hommesf — Wed, 28 Mar 2018 17:26:58 GMT

It should fire when there are more then x results. At the moment I'm testing with 10 results. As you can see the search give about 500 results atm.