Hi,
I want to setup an alert on my search given below:-
index="foo" source="/servers/logs/access.log" | rex "\"(?<ConsumerIP>[^\"]+)\"\s+(?<RequestTime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s(?<HttpMethod>[^\s]+)\s(?<EndpointURI>[^\s]+)\s(?<ResponseCode>\d+)\s(?<ServerInfo>[^\s]+)\s(?<GatewayIP>[^\s]+)\s(?<Ecid>[^\s]+)\s(?<ResponseTime>.+)" | stats count as TotalHits by EndpointURI
Alert Settings:-
Alert: DOH-PersonProfile Alert
Description:Optional
Alert type: Scheduled
Run on Cron Schedule
Time Range: Last 1 day
Cron Expression: */5 * * * *
Trigger Conditions
Trigger alert when Custom search count>1000
Trigger: Once
Trigger Actions
When triggered
Send emai To abc@company.com
Priority: High
Subject: Splunk Alert: $result.TotalHits$
Total number of requests received are : $requests.TotalHits$
Type: HTML & Plain Text
Why is not the alert working? Could anyone help me with this?
The Crontab Expression got mistyped. It is "*/5 * * * *"
Hi @AdsicSplunk
Splunk writes the logs about mail action in _Internal - python.log & about Scheduled Searches in _Internal - Scheduler.log to see why the alert is failing.
Thanks
Hi @rakshithreddy,
How to fetch the value of TotalHits in the mail? Is this correct - $requests.TotalHits$
ConsumerName TotalHits ErrorCount
ABC 1179 269
If my query result is as above, how can I fetch the value of TotalHits? Please help anyone.