Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alerts searching for statistics - not events

teknet9
Path Finder
‎08-28-2016 02:12 AM

Hello Team,

I have a search which is returning statistics (not events).
I would like to generate alert and call custome bash script only in case where i have at least 1 statistic result like this:

alt text

While i do not want to call external script when having 0 statistic results like this:

alt text

Please keep in mind that for both we do have 1 event found - and that is irrelevant.

I have read:
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Configuringalertsinsavedsearches.conf

And can see: "Alerts use a saved search to look for events". But in my case i am not interested in events but statistics.
Possible ?

How to launch external script easily in case i have a match and statistic data is produced ?

Thanks,
Michal

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-28-2016 02:47 AM

Save the search as an alert, set the alert to trigger when there is more than zero results, and have the alert call your external script as an alert action.

I'd recommend doing that through the UI, but if you want to use savedsearches.conf directly these are some relevant settings:
http://docs.splunk.com/Documentation/Splunk/6.4.3/admin/savedsearchesconf#Notification_options - the value might be "number of events", but it's actually triggering based on number of results
http://docs.splunk.com/Documentation/Splunk/6.4.3/admin/savedsearchesconf#Settings_for_script_action

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-28-2016 02:47 AM

Save the search as an alert, set the alert to trigger when there is more than zero results, and have the alert call your external script as an alert action.

I'd recommend doing that through the UI, but if you want to use savedsearches.conf directly these are some relevant settings:
http://docs.splunk.com/Documentation/Splunk/6.4.3/admin/savedsearchesconf#Notification_options - the value might be "number of events", but it's actually triggering based on number of results
http://docs.splunk.com/Documentation/Splunk/6.4.3/admin/savedsearchesconf#Settings_for_script_action

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-29-2016 03:21 PM

Splunk Free doesn't have alerting.

0 Karma
Reply
Solved! Jump to solution

teknet9
Path Finder
‎08-29-2016 01:11 AM

Hi Martin,

I do not see that option in UI, is that possible because of the fact that i have free/trial version in the lab ?
(while full/entrprise in the production) ?

Can i still do it via conf files in CLI ?

alt text

Thanks,

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...