topic Re: Alert when "rises by" issue in Alerting

Alert when "rises by" issue

hbazan — Wed, 15 Sep 2010 20:53:12 GMT

Hi. I have scheduled a search to run on midnight, and I need to send a mail if the number of returned events is greater than the day before. I've configured this: Schedule type: Basic Run every: Day at midnight

Alert conditions Perform actions: If number of events Rises by 1

Alert actions Send email

Either I've misinterpreted the "rises by" setting, or it's not working. Because I've run the search yesterday getting 6 events, and run it today and I've got 9 events, but splunk didn't send the alert. Any thoughts?

Re: Alert when "rises by" issue

Genti — Thu, 16 Sep 2010 05:20:49 GMT

Hey HB.
I cannot tell from your question if the search ran automatically (scheduled) the first time or not but, the way rises by works is this:

Day 0: You automatically run a search and get 5 results
Day 1: You decide to schedule this search and alert you if the events rise. This search returns 8 results but will not alert you, because there is no baseline for this search to compare the 8 results to.
Day 2: The search runs again, this time returning 10 events, and SHOULD alert you, since 10 -8 = 2 >1. In this second scheduled run, there is a baseline of 8 to compare to and an alert should be triggered.

If this is not the behavior you are seeing then you might want to test your email alerting capabilities. If those are working, then perhaps a case with our support should be opened and a diag attached to the case.

Hope this helps,
Cheers!
.gz

Re: Alert when "rises by" issue

hbazan — Thu, 16 Sep 2010 20:47:12 GMT

Hi Genti.
I think I've found the issue. If I go to Jobs and filter this saved search, the number of events for last two runs says "0", but if I open the results I do have events (but above the flashtimeline says "0 matching events"). And if I re-run the search (on the same window) the results I got the same results but the "matching events" is right. Maybe that's what's avoiding the alarm to run?