Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Alert when "rises by" issue

hbazan
Path Finder
‎09-15-2010 01:53 PM

Hi. I have scheduled a search to run on midnight, and I need to send a mail if the number of returned events is greater than the day before. I've configured this: Schedule type: Basic Run every: Day at midnight

Alert conditions Perform actions: If number of events Rises by 1

Alert actions Send email

Either I've misinterpreted the "rises by" setting, or it's not working. Because I've run the search yesterday getting 6 events, and run it today and I've got 9 events, but splunk didn't send the alert. Any thoughts?

Tags (2)
Reply

Genti
Splunk Employee
Splunk Employee
‎09-15-2010 10:20 PM

Hey HB.
I cannot tell from your question if the search ran automatically (scheduled) the first time or not but, the way rises by works is this:

Day 0: You automatically run a search and get 5 results
Day 1: You decide to schedule this search and alert you if the events rise. This search returns 8 results but will not alert you, because there is no baseline for this search to compare the 8 results to.
Day 2: The search runs again, this time returning 10 events, and SHOULD alert you, since 10 -8 = 2 >1. In this second scheduled run, there is a baseline of 8 to compare to and an alert should be triggered.

If this is not the behavior you are seeing then you might want to test your email alerting capabilities. If those are working, then perhaps a case with our support should be opened and a diag attached to the case.

Hope this helps,
Cheers!
.gz

Reply

hbazan
Path Finder
‎09-16-2010 01:47 PM

Hi Genti.
I think I've found the issue. If I go to Jobs and filter this saved search, the number of events for last two runs says "0", but if I open the results I do have events (but above the flashtimeline says "0 matching events"). And if I re-run the search (on the same window) the results I got the same results but the "matching events" is right. Maybe that's what's avoiding the alarm to run?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...