https://community.splunk.com/t5/Splunk-Search/assign-the-value-to-another-variable-and-set-an-alert/m-p/576207#M200807 <P>It works great.<BR />Thank you for your help.</P> Wed, 24 Nov 2021 15:28:58 GMT ycho1 2021-11-24T15:28:58Z https://community.splunk.com/t5/Splunk-Search/assign-the-value-to-another-variable-and-set-an-alert/m-p/576089#M200762 <P>hello,</P><P>I would like to ask a question on how to assign the value to another variable and set an alert.<BR />I have a this data output from Splunk.</P><P>I would like to assign the value to another variables and set an alert when the value become(s) is greater than a threshold like 10 or 20.<BR /><BR /></P><P>for example<BR />when TX_UPS value &gt;= 10, then I send an alert.</P><P>how should I approach this in Splunk Alert job?</P><P><BR />shipper count<BR />TX_UPS 10<BR />TX_USPS 15<BR />TX_FedEx 5<BR />CO_UPS 5<BR />CO_USPS 9<BR />CO_FedEx 2<BR />MO_UPS 5<BR />MO_USPS 20<BR />MO_FedEx 3<BR />GA_UPS 15<BR />GA_USPS 10<BR />GA_FedEx 5<BR />PA_UPS 9<BR />PA_USPS 21<BR />PA_FedEx 8<BR />NY_UPS 30<BR />NY_USPS 99<BR />NY_FedEx 20</P><P>index=main AND "*TRACKING*"<BR />| stats count by shipper</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 23 Nov 2021 21:11:15 GMT https://community.splunk.com/t5/Splunk-Search/assign-the-value-to-another-variable-and-set-an-alert/m-p/576089#M200762 ycho1 2021-11-23T21:11:15Z https://community.splunk.com/t5/Splunk-Search/assign-the-value-to-another-variable-and-set-an-alert/m-p/576099#M200767 <P>This seems pretty straightforward so I must be missing something.&nbsp; This query will trigger an alert if any shipper has a count greater than 10, provided the alert is set to trigger when there are more than zero results.</P><LI-CODE lang="markup">index=main AND "*TRACKING*" | stats count by shipper | where count &gt; 10</LI-CODE> Tue, 23 Nov 2021 22:02:13 GMT https://community.splunk.com/t5/Splunk-Search/assign-the-value-to-another-variable-and-set-an-alert/m-p/576099#M200767 richgalloway 2021-11-23T22:02:13Z https://community.splunk.com/t5/Splunk-Search/assign-the-value-to-another-variable-and-set-an-alert/m-p/576100#M200768 <P>Thank you&nbsp;<SPAN>richgalloway for your input.</SPAN></P><P><SPAN>However,&nbsp;</SPAN>I need to know the shipper name that becomes above the threshold.</P><P>since there a multiple shippers, I need to specify which shipper has greater than the threshold.<BR />your solution "where count &gt; 10" doesn't tell me which shipper name though.<BR />My guess would be I need to assign each shipper value<BR />for example:<BR /><BR />| eval TX_UPS_VAL = (count AND where shipper = TX_UPS)<BR />does it make sense?</P> Tue, 23 Nov 2021 22:13:48 GMT https://community.splunk.com/t5/Splunk-Search/assign-the-value-to-another-variable-and-set-an-alert/m-p/576100#M200768 ycho1 2021-11-23T22:13:48Z https://community.splunk.com/t5/Splunk-Search/assign-the-value-to-another-variable-and-set-an-alert/m-p/576184#M200793 <P>Did you TRY the query?</P><P>The command <FONT face="courier new,courier">| stats count by <STRONG>shipper</STRONG></FONT> does indeed specify the shipper name.</P><P>The command <FONT face="courier new,courier">| where count &gt; 10</FONT> merely removes those results with a count less than or equal to ten.</P><P>You should end up with something like this:</P><LI-CODE lang="markup">shipper count TX_USPS 15 MO_USPS 20 GA_UPS 15 PA_USPS 21 NY_UPS 30 NY_USPS 99 NY_FedEx 20</LI-CODE> Wed, 24 Nov 2021 13:57:42 GMT https://community.splunk.com/t5/Splunk-Search/assign-the-value-to-another-variable-and-set-an-alert/m-p/576184#M200793 richgalloway 2021-11-24T13:57:42Z https://community.splunk.com/t5/Splunk-Search/assign-the-value-to-another-variable-and-set-an-alert/m-p/576207#M200807 <P>It works great.<BR />Thank you for your help.</P> Wed, 24 Nov 2021 15:28:58 GMT https://community.splunk.com/t5/Splunk-Search/assign-the-value-to-another-variable-and-set-an-alert/m-p/576207#M200807 ycho1 2021-11-24T15:28:58Z