Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Combining two alerts into one condition

ravikishore19
Observer
‎06-03-2020 08:02 PM

Hi All,

Actually I have conflict while sending the alert, Please consider below scenario,

  1. detecting and sending alert for when ever server gets disconnected from the network.
  2. after server gets connected to network and then I have configured one more alert condition for successful connection.

Now I want merge these two alerts into one alert condition like below,

for example :
First server gets disconnected for 30 mins and Splunk will send the alert.
and after successful reconnection then using alert has to be sent to user by using one alert condition.

Can you please help me out that how do I merge two alerts conditions into one condition.

Thanks.
Kishore

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-16-2020 11:34 PM

Hi @ravikishore19 ,

could you share your searches?

Anyway, you can combine both the searches in one and give a different alert message in the two situations.

Ciao.

Giuseppe

0 Karma
Reply

ravikishore19
Observer
‎06-18-2020 10:28 PM 
Hi Giuseppe,

Thanks for your reply,

Please consider the below two alert conditions,

Condition 1 : 
host="ServerName" source="WinEventLog:Blue Prism" "Message=A database error occurred while executing the statement"
"ComputerName=ServerName.alico.corp" The server cannot be found or cannot be accessed.

Condition 2 : 
host="ServerName" source="WinEventLog:Blue Prism"  "Resource successfully reconnected"
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-18-2020 11:48 PM

Hi @ravikishore19 ,

I'd prefer to have two different alerts than one because they are more manageble.

Only to be precise:

the search is the same in both the alerts:

host="ServerName" source="WinEventLog:Blue Prism"

the Condition 1 is:

"A database error occurred while executing the statement"

The Condition 2 is:

"Resource successfully reconnected"

So, you could run a search like this:

index=wineventlog host="ServerName" source="WinEventLog:Blue Prism"
| eval type=if(searchmatch("A database error occurred while executing the statement"),"Alert 1","Alert 2")
| dedup type
| table _time type

A little hint: use always the index in the main search, it's quicker!

Ciao.

Giuseppe

0 Karma
Reply

ravikishore19
Observer
‎06-22-2020 03:22 AM

Hi Giuseppe,

Thanks for the reply,

I can see that you use alert condition1 in below,

index=wineventlog host="ServerName" source="WinEventLog:Blue Prism"
| eval type=if(searchmatch("A database error occurred while executing the statement"),"Alert 1","Alert 2")
| dedup type
| table _time type

 

How do you include the Alert 2 in above search query.

Please kindly let me know the settings for sending email for above two alerts in different time frames.

 

Regards,

Kishore

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-22-2020 05:14 AM

Hi @ravikishore19 ,

sorry I forgot a par of the answer:

index=wineventlog host="ServerName" source="WinEventLog:Blue Prism" ("A database error occurred while executing the statement" OR "Resource successfully reconnected")
| eval type=if(searchmatch("A database error occurred while executing the statement"),"Alert 1","Alert 2")
| dedup type
| table _time type

if I correctly understood, the main search is the same and there'a a different string for condition 1 and 2.

In this way, you have the main search and the two conditions.

Ciao.

Giuseppe

0 Karma
Reply

ravikishore19
Observer
‎06-23-2020 02:41 AM

Hi Giuseppe,

Thanks for the reply,

 

The two conditions which I have been provided are two different main searches for my monitoring.

So when the first search detects the server disconnection then we should get the email alert.

Same wise for second search we need to receive the alert after successful reconnection .

so we need to know how do we send these two alerts in different time frames by merging these main searches.

I request please kindly let me know the settings for the same.

 

Regards,

Kishore

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-23-2020 06:19 AM

Hi @ravikishore19 ,

I continue to ununderstand why you want only one search, in my opinion, it's better to have two alerts!

anyway, with the above search you have both the conditions in one alert.

Using it you can detect both the conditions, what do you need a correlation between them?

Ciao.

Giuseppe

0 Karma
Reply

ravikishore19
Observer
‎06-16-2020 08:50 PM

Dear Splunk team,

 

Can you please kindly suggest any idea on "

Combining two alerts into one condition".
 
waiting for your kind response.
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...