Alerting

Can you help me create an alert that triggers when search results are higher than a specific value in a column?

New Member

I am trying to trigger an alert based on a value that is in a column. Below is the search I am running

|node_details(SERVER NAME) |  search Node_ID="Node3" (stats.key="node.cpu.sys.max" OR stats.key="node.cpu.user.max") | eval usage_by = case('stats.key'="node.cpu.user.max", "User", 'stats.key'="node.cpu.sys.max", "System") | eval stats.value = round(('stats.value'/10),1)| timechart span=5m avg(stats.value) by usage_by 

Basically, I want to alert anytime the System is greater than X.

I have tried using customer alert condition and have added where System > 4

But, that has not helped. Can someone recommend a solution please?
Thanks

alt text

0 Karma

SplunkTrust
SplunkTrust

@uvmk61,

Just a suggestion , if you just want to alert based on one field, you need not select "All Time" and do a timechart because it searches all your events and sends an alert if the condition matches - even for the past (5 years?) . If you are planning to schedule this alert for every let's say x minutes, then it's better to search for last x minutes and send an alert.

For e.g. For last 10 minutes

|node_details(SERVER NAME) |  search Node_ID="Node3" (stats.key="node.cpu.sys.max" OR stats.key="node.cpu.user.max") 
| eval usage_by = case('stats.key'="node.cpu.user.max", "User", 'stats.key'="node.cpu.sys.max", "System") 
| eval stats.value = round(('stats.value'/10),1)
| stats avg(stats.value) as stats.value by stats.key
| where stats.value > 4

If you want to restrict it only for System, use where (stats.key="System" AND stats.value > 4)

Lets know if you have other requirements to use the timechart

0 Karma