topic Re: How to trigger an custom alert condition of multiples from the basic search of Splunk? in Splunk Search

How to trigger an custom alert condition of multiples from the basic search of Splunk?

AjayTakur — Wed, 03 May 2023 16:05:24 GMT

I am new to Splunk and facing an issue while setting up the custom alert. The results as shown in Table 1.

I have tried the one which is highlighted in red color below is not working.

How do I configure for both of the values ie., DCOEtransfercount and NDMCopycount?

Note: Ignore the DCOEtransfercount and NDMCopycount labels in both of the tables.

Re: How to trigger an custom alert condition of multiples from the basic search of Splunk?

richgalloway — Wed, 03 May 2023 16:53:40 GMT

I've had the best results by putting the trigger criteria in the search and then have the alert trigger when the number of results is not zero.

<<your search>> | where (DCOEtransfercount=1 AND NDNCopycount=1)

It's also possible your current settings would work by changing "and" to "AND" in the trigger condition.

Re: How to trigger an custom alert condition of multiples from the basic search of Splunk?

AjayTakur — Thu, 04 May 2023 08:02:58 GMT

By changing "and" to "AND" in the trigger condition does not work. since I assume the table has multiple rows each for DCOEtransfercount & NDNCopycount. hence it is not working. how do those two conditions together make it work with different rows?

Re: How to trigger an custom alert condition of multiples from the basic search of Splunk?

PickleRick — Thu, 04 May 2023 09:51:44 GMT

Changing "and" to "AND" is simply a syntactic fix since the logical operator must be uppercase so lowercase "and" would search for the string "and" in your results.

Anyway, your requirement seems a bit vague so it would be best if you shared (anonymized if needed) sample of output of your scheduled search and explained when you would like the alert triggered.

Re: How to trigger an custom alert condition of multiples from the basic search of Splunk?

AjayTakur — Thu, 04 May 2023 09:58:51 GMT

By putting the trigger criteria in the search
<<your search>>
| where (DCOEtransfercount=1 AND NDNCopycount=1)
is also getting events irrespective of whether the value is 1/2/3 for both the DCOEtransfercount AND NDNCopycount. It seems that the where a condition is not working.

Re: How to trigger an custom alert condition of multiples from the basic search of Splunk?

AjayTakur — Thu, 04 May 2023 11:01:01 GMT

The trigger condition is

DCOEtransfercount=1 AND NDNCopycount=1

Search query is

...
| append [search index="pd" "successful" "notif/output/"
  | stats count as DtransferCount by _raw 
  | fields DtransferCount 
  | rename _raw as Dtransfer] 
| append [search index="pd" "SBID=nr" "DM" "PAM=sende" "notif/archive/" 
  | stats count as DMCopyCount by _raw 
  | fields DMCopyCount
  | rename _raw as DMCopy]

Results are:

Re: How to trigger an custom alert condition of multiples from the basic search of Splunk?

PickleRick — Thu, 04 May 2023 11:12:12 GMT

OK. So your options are:

1. Rework your search so that the results are aggregated into single event so that you can compare different fields within a single event or

2. Use something like |stats values in your condition search to "compress" the results and then compare aggregated fields.

Re: How to trigger an custom alert condition of multiples from the basic search of Splunk?

AjayTakur — Thu, 04 May 2023 11:30:42 GMT

Could you provide me with the query using option 2..

Re: How to trigger an custom alert condition of multiples from the basic search of Splunk?

PickleRick — Thu, 04 May 2023 11:57:01 GMT

Something like

stats  values(*) as * | where DCOEtransfercount=1 AND NDNCopycount=1

as the alert condition.

Might need further tweaking if you expect multiple result rows in your original results.