https://community.splunk.com/t5/Splunk-Search/Alert-on-table-with-custom-email-subject-field-value/m-p/706932#M239163 <P>I got an alert working "for each result" by using a query that creates the following table:</P><P>errorType&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;count</P><P>Client&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 10<BR />Credentials&nbsp; &nbsp; &nbsp; 50<BR />Unknown&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;5</P><P>How do I set a different threshold for each result?</P><P>I tried using a custom trigger as follows and was hoping to only get an email for "client" and "credentials", but I still get all 3.</P><P>&nbsp;</P><LI-CODE lang="markup">search (errorType = "Client" AND count &gt; 8 ) OR (errorType = "Credentials" AND count &gt; 8 ) OR (errorType = "Other" AND count &gt;8 )</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 16 Dec 2024 18:05:18 GMT rmiller3 2024-12-16T18:05:18Z https://community.splunk.com/t5/Splunk-Search/Alert-on-table-with-custom-email-subject-field-value/m-p/706932#M239163 <P>I got an alert working "for each result" by using a query that creates the following table:</P><P>errorType&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;count</P><P>Client&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 10<BR />Credentials&nbsp; &nbsp; &nbsp; 50<BR />Unknown&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;5</P><P>How do I set a different threshold for each result?</P><P>I tried using a custom trigger as follows and was hoping to only get an email for "client" and "credentials", but I still get all 3.</P><P>&nbsp;</P><LI-CODE lang="markup">search (errorType = "Client" AND count &gt; 8 ) OR (errorType = "Credentials" AND count &gt; 8 ) OR (errorType = "Other" AND count &gt;8 )</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 16 Dec 2024 18:05:18 GMT https://community.splunk.com/t5/Splunk-Search/Alert-on-table-with-custom-email-subject-field-value/m-p/706932#M239163 rmiller3 2024-12-16T18:05:18Z https://community.splunk.com/t5/Splunk-Search/Alert-on-table-with-custom-email-subject-field-value/m-p/706939#M239165 <P>That should work already. Could you try putting that search filter at the end of your alert search?</P><LI-CODE lang="markup">&lt;yoursearch&gt; | search (errorType = "Client" AND count &gt; 8 ) OR (errorType = "Credentials" AND count &gt; 8 ) OR (errorType = "Other" AND count &gt; 8 )</LI-CODE><P>&nbsp;</P> Mon, 16 Dec 2024 19:15:31 GMT https://community.splunk.com/t5/Splunk-Search/Alert-on-table-with-custom-email-subject-field-value/m-p/706939#M239165 marnall 2024-12-16T19:15:31Z https://community.splunk.com/t5/Splunk-Search/Alert-on-table-with-custom-email-subject-field-value/m-p/706952#M239166 <P>That works.&nbsp; I was really trying to have a custom alert message with just the thresholds (since my query categorizes different error types and is fairly long, I was hoping not to put it in the alert email).&nbsp;</P><P>However, I think putting the whole query is fine at the end of the day, thanks!</P> Mon, 16 Dec 2024 20:41:10 GMT https://community.splunk.com/t5/Splunk-Search/Alert-on-table-with-custom-email-subject-field-value/m-p/706952#M239166 rmiller3 2024-12-16T20:41:10Z