Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert custom condition

dhivyamu
Explorer
‎11-27-2019 06:40 AM

My alert search query is like this which runs every 5mins
index="iway_idoc" TMSG_TYPE="SAP_PLANARRIV" | table STATUS
the resultant records can have 2 different status - Delivered and Error

Now, I want to trigger an email if at-least one record with Error is found. I tried giving custom search like

search STATUS=Error
search count(eval(STATUS="Error")) > 1

It didn't work 😞

Can someone help in this please ??

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎11-27-2019 10:30 AM

Like this:

index="iway_idoc" AND TMSG_TYPE="SAP_PLANARRIV"
| stats count BY STATUS
| where match(STATUS, "Error") AND count > 0
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-27-2019 08:21 AM

HI @dhivyamu,
try something like this

index="iway_idoc" TMSG_TYPE="SAP_PLANARRIV" STATUS=Error

Alert must be triggered when results are grether than 0
In othe words: if you have results you have errors.

You could also add a command to display e.g. the host list or the module list to have in the alert more infos.

Ciao.
Giuseppe

Reply

jaime_ramirez
Communicator
‎11-27-2019 08:15 AM

Could you try this instead:

index="iway_idoc" TMSG_TYPE="SAP_PLANARRIV" 
| table STATUS
| search STATUS=Error
| stats count

This will count the records with STATUS=Error and then you can configure your alert to trigger if the count > 0.

For aggregate/statistical operations you should use stats command: https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/SearchReference/Stats

Hope it helps!!!

0 Karma
Reply

to4kawa
Ultra Champion
‎11-27-2019 08:27 AM 
index="iway_idoc" TMSG_TYPE="SAP_PLANARRIV" STATUS=Error
|stats count by your_important_message_field

Hi, folks.
If you set it up as @jaime.ramirez says and write $result.your_inportant_message_field$ in the body, you'll get better.

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...