Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert Creation for indexes showing events less than threshold

harshsri21
New Member
‎05-11-2017 03:09 AM

I am new to splunk.

Trying to create an alert if any of the indexes shows event count less than the defined threshold. Below is my alert search query which i run every hour past 15.

| metasearch index=ip-bluecoat OR index=ip-fass-siteminder OR index=ip-win-evt OR index=ip-glux
| stats count by index|appendcols [|inputlookup feed_baseline_count.csv|table index,baseline_count]|where count < baseline_count

Below is the table for my lookup:

index baseline_count
ip-bluecoat 3000000
ip-faas_siteminder 1000
ip-glux 2000000
ip-winevt 20000000

It is not working as expected. Can somebody please help in correcting the query or the approach.

Thanks in advance.

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎05-12-2017 12:48 AM

I think that appendcols is not working as you might expect - it makes no attempt to order the rows so that they "match."
Try this instead:

| tstats count where index=ip-bluecoat OR index=ip-fass-siteminder OR index=ip-win-evt OR index=ip-glux by index
| append [ inputlookup feed_baseline_count.csv ]
| stats first(*) as * by index
| where count < baseline_count

Be sure that you are specifying the timerange properly when you run the search...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...