Alerting

Alert with 3 different threshold for 3 different event in on alert

cbiraris
Path Finder

Hi team,

I need help to create a query with with 3 different threshold for 3 different event in single splunk alert.

for example :

index= abc
sourcetype=xyz

"warning" OR "Error" OR Critical

If any of these ("warning" OR "Error" OR Critical) occurred 5 times in events in last 15 minutes alert should be triggered .


 

Labels (2)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @cbiraris ,

I suppose that these three values are in a field (e.g. type), so you can run a search like the folowing:

index= abc sourcetype=xyz type IN ("warning", "Error", Critical)
| stats
    values(eval(type="warning")) AS warning_count
    values(eval(type="Error")) AS Error_count
    values(eval(type="Critical")) AS Critical_count
| where warning_count>5 OR Error_count>5 OR Critical_count>5

you can aso setup a different threshold for each type of message.

If you don't have the three values in a fied, you have to use a similar search:

index= abc sourcetype=xyz ("warning" OR "Error" OR Critical)
| stats
    values(eval(searchmatch("warning"))) AS warning_count
    values(eval(searchmatch("Error"))) AS Error_count
    values(eval(searchmatch("Critical"))) AS Critical_count
| where warning_count>5 OR Error_count>5 OR Critical_count>5

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @cbiraris ,

I suppose that these three values are in a field (e.g. type), so you can run a search like the folowing:

index= abc sourcetype=xyz type IN ("warning", "Error", Critical)
| stats
    values(eval(type="warning")) AS warning_count
    values(eval(type="Error")) AS Error_count
    values(eval(type="Critical")) AS Critical_count
| where warning_count>5 OR Error_count>5 OR Critical_count>5

you can aso setup a different threshold for each type of message.

If you don't have the three values in a fied, you have to use a similar search:

index= abc sourcetype=xyz ("warning" OR "Error" OR Critical)
| stats
    values(eval(searchmatch("warning"))) AS warning_count
    values(eval(searchmatch("Error"))) AS Error_count
    values(eval(searchmatch("Critical"))) AS Critical_count
| where warning_count>5 OR Error_count>5 OR Critical_count>5

Ciao.

Giuseppe

cbiraris
Path Finder

Thank you this one working for me 🙂 

0 Karma

cbiraris
Path Finder

Yes, only if any of them individually occur 5 times e.g. 5 warnings or 5 errors or 5 criticals

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please clarify your requirement - do you want the alert to trigger if any of the values occurs 5 times e.g. 2 warnings, 2 errors and 1 critical, or only if any of them individually occur 5 times e.g. 5 warnings or 5 errors or 5 criticals?

cbiraris
Path Finder

Yes, only if any of them individually occur 5 times e.g. 5 warnings or 5 errors or 5 criticals

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...