topic Re: How do I trigger an alert if a continuously number repeats more than 5 times? in Alerting

How do I trigger an alert if a continuously number repeats more than 5 times?

DataOrg — Thu, 23 Aug 2018 13:54:10 GMT

For example.
i have a field which has repeated numbers. if a number is repeated more than 5 times, i need to clear an alert.

for example if number "3" repeats more than 5 times. i need to filter it.

1
1
1
2
3
3
3
3
5

Re: How do I trigger an alert if a continuously number repeats more than 5 times?

vishaltaneja070 — Thu, 23 Aug 2018 13:59:17 GMT

you can run a query with
| stats count(field) by field

Which will give you output like this:
field count
1 3
2 1
3 5
4 3

Then you can create a alert based on count field with count>5 and pass the value of $field$ in result.

Re: How do I trigger an alert if a continuously number repeats more than 5 times?

sudosplunk — Thu, 23 Aug 2018 14:09:00 GMT

If you have a field called "X", then add something like below to your search and schedule your alert in a normal way.

...count(eval(X="3")) AS count_number BY sourcetype | where count_number > 5

Re: How do I trigger an alert if a continuously number repeats more than 5 times?

DataOrg — Thu, 23 Aug 2018 17:09:51 GMT

3 is not a constant.. even if 2 was present more than 5 we need trigger alert. It will be like if a same number present more than 5 times . We need to trigger an alert

Re: How do I trigger an alert if a continuously number repeats more than 5 times?

sudosplunk — Thu, 23 Aug 2018 18:22:19 GMT

Can you paste some sample (actual looking events) data. Please mask unwanted information. I want to look at the actual field with value.

Re: How do I trigger an alert if a continuously number repeats more than 5 times?

mstjohn_splunk — Thu, 23 Aug 2018 22:46:52 GMT

Hi @premranjithj, Were you able to test out either of these solutions? Did they work? If yes, please don't forget to resolve this post by clicking on "Accept". If you still need more help, please provide a comment with some feedback. Thanks!

Re: How do I trigger an alert if a continuously number repeats more than 5 times?

DataOrg — Fri, 24 Aug 2018 06:54:18 GMT

below is the example. we need to refer column inc_value. if same number repeats more than 5 times. we need to trigger alert

datetime inc_value
24/08/2018 06:18 1
24/08/2018 06:20 1
24/08/2018 06:30 1
24/08/2018 06:33 1
24/08/2018 06:34 1
24/08/2018 06:38 1
24/08/2018 06:40 1
24/08/2018 06:45 1
24/08/2018 06:18 2
24/08/2018 06:21 2
24/08/2018 06:32 2
24/08/2018 06:22 3
24/08/2018 06:25 3
24/08/2018 06:39 3
24/08/2018 06:44 3
24/08/2018 06:21 4
24/08/2018 06:24 4
24/08/2018 06:31 4
24/08/2018 06:37 4
24/08/2018 06:42 4
24/08/2018 06:20 5
24/08/2018 06:21 5
24/08/2018 06:30 5
24/08/2018 06:31 5
24/08/2018 06:34 5
24/08/2018 06:35 5
24/08/2018 06:36 5
24/08/2018 06:37 5
24/08/2018 06:39 5
24/08/2018 06:40 5
24/08/2018 06:41 5
24/08/2018 06:42 5

Re: How do I trigger an alert if a continuously number repeats more than 5 times?

sudosplunk — Fri, 24 Aug 2018 19:20:24 GMT

See if this works, ...| stats count by inc_value | where count > 5

Below is the run anywhere search:

| makeresults | eval new = "24/08/2018 06:18 1
24/08/2018 06:20 1
24/08/2018 06:30 1
24/08/2018 06:33 1
24/08/2018 06:34 1
24/08/2018 06:38 1
24/08/2018 06:40 1
24/08/2018 06:45 1
24/08/2018 06:18 2
24/08/2018 06:21 2
24/08/2018 06:32 2
24/08/2018 06:22 3
24/08/2018 06:25 3
24/08/2018 06:39 3
24/08/2018 06:44 3
24/08/2018 06:21 4
24/08/2018 06:24 4
24/08/2018 06:31 4
24/08/2018 06:37 4
24/08/2018 06:42 4
24/08/2018 06:20 5
24/08/2018 06:21 5
24/08/2018 06:30 5
24/08/2018 06:31 5
24/08/2018 06:34 5
24/08/2018 06:35 5
24/08/2018 06:36 5
24/08/2018 06:37 5
24/08/2018 06:39 5
24/08/2018 06:40 5
24/08/2018 06:41 5
24/08/2018 06:42 5"
| rex max_match=0 field=new "\S+\s\S+\s(?<inc>\d)"
| stats count by inc
| where count > 5