Alert Configuration based on search results

AdsicSplunk · ‎03-25-2018

Hi,

I want to setup an alert on my search given below:-

index="foo" source="/servers/logs/access.log" | rex "\"(?<ConsumerIP>[^\"]+)\"\s+(?<RequestTime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s(?<HttpMethod>[^\s]+)\s(?<EndpointURI>[^\s]+)\s(?<ResponseCode>\d+)\s(?<ServerInfo>[^\s]+)\s(?<GatewayIP>[^\s]+)\s(?<Ecid>[^\s]+)\s(?<ResponseTime>.+)" | stats count as TotalHits by EndpointURI

Alert Settings:-

Alert: DOH-PersonProfile Alert
Description:Optional
Alert type: Scheduled
Run on Cron Schedule
Time Range: Last 1 day
Cron Expression: */5 * * * *
Trigger Conditions
Trigger alert when Custom search count>1000
Trigger: Once

Trigger Actions
When triggered
Send emai To abc@company.com
Priority: High
Subject: Splunk Alert: $result.TotalHits$
Total number of requests received are : $requests.TotalHits$
Type: HTML & Plain Text

Why is not the alert working? Could anyone help me with this?

AdsicSplunk · ‎03-25-2018

The Crontab Expression got mistyped. It is "*/5 * * * *"

rakshithreddy · ‎03-25-2018

Hi @AdsicSplunk

Splunk writes the logs about mail action in _Internal - python.log & about Scheduled Searches in _Internal - Scheduler.log to see why the alert is failing.

Thanks

AdsicSplunk · ‎03-25-2018

Hi @rakshithreddy,

How to fetch the value of TotalHits in the mail? Is this correct - $requests.TotalHits$

AdsicSplunk · ‎03-25-2018

ConsumerName TotalHits ErrorCount
ABC          1179      269

If my query result is as above, how can I fetch the value of TotalHits? Please help anyone.

Alert Configuration based on search results

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk