topic Re: How to set up alerts with multiple fields with different thresholds in Splunk Search

How to set up alerts with multiple fields with different thresholds

abhishekbhasin — Tue, 29 Oct 2019 18:12:03 GMT

Trying to setup up an alert with multiple fields extracted through Field.

For example A,B, C etc and each having a different threshold for avg(time) and count.

Below is an example:

Re: How to set up alerts with multiple fields with different thresholds

mluna_splunk — Wed, 30 Sep 2020 02:46:04 GMT

Hi there -

Currently we don't support multiple fields in separate the same condition (e.g. you can do A>0 and A<10 but not A>0 and B>0).

The work around is to create a new single column that represents the underlying logic of the column combination e.g.

Change base search to something along the lines of:
index=XXXX sourcetype="XXX"
| eval a_or_b=case(Field in("A"), "A", Field in("B"), "B")
| stats count() as myCount, avg(time) as avg_time by a_or_b
| eval alert_a=case(a_or_b="A" AND avg_time>2 AND count>3, 1)
| eval alert_b=case(a_or_b="B" AND avg_time>5 AND count>10, 1)

In the UI....
Condition 1: alert_a = 1 --> actions
Condition 2: alert_b = 1--> actions

Also please feel free to email scs-alerts@splunk.com if you run into any additional trouble!

Re: How to set up alerts with multiple fields with different thresholds

aberkow — Tue, 29 Oct 2019 20:37:13 GMT

Can you write out some example data? I'm having a hard time coming up with a catch all answer for a few different cases I can think of that you might be talking about, and don't want to lead you down the wrong path!

Re: How to set up alerts with multiple fields with different thresholds

mluna_splunk — Tue, 29 Oct 2019 20:38:01 GMT

Have an answer pending post...

Re: How to set up alerts with multiple fields with different thresholds

abhishekbhasin — Tue, 29 Oct 2019 20:43:30 GMT

example in this case would be trigger an alert when avg(time) for A > 2 and count >3 then evaluate avg(time) for B >5 and count > 10. If all the conditions meets then only trigger an alert.

Re: How to set up alerts with multiple fields with different thresholds

woodcock — Tue, 29 Oct 2019 20:50:03 GMT

You cannot do it in the alert dialog so do it just like you are in SPL at the end and set your alert trigger to number of results and is greater than zero. This is more clear to the analysts anyway.

Re: How to set up alerts with multiple fields with different thresholds

mluna_splunk — Tue, 29 Oct 2019 20:51:39 GMT

Splunk Investigate Alerts don't support Number of Results > foo

Re: How to set up alerts with multiple fields with different thresholds

abhishekbhasin — Wed, 30 Sep 2020 02:44:02 GMT

Able to get the data with above mentioned query but having trouble building alert since it's a custom alert.

Could you please send syntax for this
Condition 1: alert_a = 1 --> actions
Condition 2: alert_b = 1--> actions

Re: How to set up alerts with multiple fields with different thresholds

abhishekbhasin — Wed, 30 Sep 2020 02:48:14 GMT

Able to get the data with above mentioned query but having trouble building alert since it's a custom alert.

Could you please send syntax for this
Condition 1: alert_a = 1 --> actions
Condition 2: alert_b = 1--> actions

Re: How to set up alerts with multiple fields with different thresholds

mluna_splunk — Thu, 31 Oct 2019 18:16:19 GMT

Hi there - you don't need syntax for that. You simply designate the numeric field in the Splunk Investigate triggers & alerts UI and whether <>= a particular value.

See https://docs.splunk.com/Documentation/SplunkInvestigate/Current/Use/Trigger

Re: How to set up alerts with multiple fields with different thresholds

mluna_splunk — Thu, 31 Oct 2019 18:16:41 GMT

Happy to help further w your specific case if you email scs-alerts@splunk.com

Re: How to set up alerts with multiple fields with different thresholds

woodcock — Thu, 31 Oct 2019 21:23:56 GMT

WHAT???? Are you sure? That is CRAZY!

Re: How to set up alerts with multiple fields with different thresholds

mluna_splunk — Fri, 01 Nov 2019 16:24:31 GMT

Yep. You'd append a | stats count() to your base search to approx that behavior. For now. Welcome any feedback -- scs-alerts@splunk.com and encourage you to sign up for the Investigate trial!