Solved: Alert when count is less than a certain threshold

cpraznowski_spl · ‎05-09-2016

Hi...here is my search:

sourcetype="isc:dhcp"   earliest=-10m@s latest=now |    stats count  as dhcp_count by _time | where dhcp_count<5000

I'll usually get returned stats:
4800
10,000
11,000

I have this running on 5 minute cron schedule...don't see results. Perhaps I shall try real-time every 5 minutes...any thoughts appreciated

somesoni2 · ‎05-10-2016

Try this

alert search

sourcetype="isc:dhcp"   earliest=-11m@m latest=-1m@m|    stats count  as dhcp_count by _time | where dhcp_count<5000

Alert schedule - Cron

1-59/5 * * * *

Alert condition

When number of events > 0

View solution in original post

somesoni2 · ‎05-10-2016

Try this

alert search

sourcetype="isc:dhcp"   earliest=-11m@m latest=-1m@m|    stats count  as dhcp_count by _time | where dhcp_count<5000

Alert schedule - Cron

1-59/5 * * * *

Alert condition

When number of events > 0

cpraznowski_spl · ‎05-10-2016

woohoo, thanks a ton

woodcock · ‎05-09-2016

You have not specified the most important part: what is your timepicker? Typically, this range is similar to the period so maybe you are running with Last 5 minutes which maybe is not a long enough timespan to ever rack up 5000 hits. When you say you "usually get ...", what was your timepicker value?

woodcock · ‎05-10-2016

Surely you do not have 11K events per second, right? Your BY _time clause seems silly to me; probably you should be doing this instead:

 sourcetype="isc:dhcp" earliest=-10m@s latest=now | stats count AS dhcp_count | where dhcp_count<5000

And I would put the | where ... part inside your alert threshold settings.

cpraznowski_spl · ‎05-10-2016

Not quite....11K events per 5 minute period

..And I would put the | where ... part inside your alert threshold settings.... that's what I think I need to try..thanks

cpraznowski_spl · ‎05-10-2016

thanks ! 🙂

cpraznowski_spl · ‎05-10-2016

Last ten minutes: earliest=-10m@s latest=now

jkat54 · ‎05-09-2016

Why do you have the "by clause" in your stats command, or a stats command at all? Shouldnt it just be:

 sourcetype="isc:dhcp" earliest=-10m@s latest=now | where count<5000

See if that helps.

cpraznowski_spl · ‎05-10-2016

by clause because the dchp server sends logs every 5 minutes
12:10 4800
12:15 10000
12:20 12000

The span is 10 minutes in period, so I want to alert when any of the _time dimensions < 5000

somesoni2 · ‎05-09-2016

Don't do real-time scheduled alert as it never ends. When you say your don't see result mean that alert is not triggered?

cpraznowski_spl · ‎05-09-2016

hi...yes, thanks for responding, I get the results above in my stats table, but when I access, Activity, Triggered alerts (search all)...I do not see results. In the above example, I was expecting to see the alert triggered b/c the count was 4,800...ie <5000

somesoni2 · ‎05-09-2016

The result that you gave, is it from the search which includes the where clause? Can you check in the scheduler logs to see what is the result_count returned by the search?

index=_internal sourcetype=scheduler savedsearch_name="YourAlertSearchName"

cpraznowski_spl · ‎05-10-2016

cool, will take a look

Alert when count is less than a certain threshold

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk