- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Combining two alerts into one condition
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Combining two alerts into one condition
Hi All,
Actually I have conflict while sending the alert, Please consider below scenario,
- detecting and sending alert for when ever server gets disconnected from the network.
- after server gets connected to network and then I have configured one more alert condition for successful connection.
Now I want merge these two alerts into one alert condition like below,
for example :
First server gets disconnected for 30 mins and Splunk will send the alert.
and after successful reconnection then using alert has to be sent to user by using one alert condition.
Can you please help me out that how do I merge two alerts conditions into one condition.
Thanks.
Kishore
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ravikishore19 ,
could you share your searches?
Anyway, you can combine both the searches in one and give a different alert message in the two situations.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Giuseppe,
Thanks for your reply,
Please consider the below two alert conditions,
Condition 1 :
host="ServerName" source="WinEventLog:Blue Prism" "Message=A database error occurred while executing the statement"
"ComputerName=ServerName.alico.corp" The server cannot be found or cannot be accessed.
Condition 2 :
host="ServerName" source="WinEventLog:Blue Prism" "Resource successfully reconnected"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ravikishore19 ,
I'd prefer to have two different alerts than one because they are more manageble.
Only to be precise:
the search is the same in both the alerts:
host="ServerName" source="WinEventLog:Blue Prism"the Condition 1 is:
"A database error occurred while executing the statement"The Condition 2 is:
"Resource successfully reconnected"So, you could run a search like this:
index=wineventlog host="ServerName" source="WinEventLog:Blue Prism"
| eval type=if(searchmatch("A database error occurred while executing the statement"),"Alert 1","Alert 2")
| dedup type
| table _time typeA little hint: use always the index in the main search, it's quicker!
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Giuseppe,
Thanks for the reply,
I can see that you use alert condition1 in below,
index=wineventlog host="ServerName" source="WinEventLog:Blue Prism"
| eval type=if(searchmatch("A database error occurred while executing the statement"),"Alert 1","Alert 2")
| dedup type
| table _time type
How do you include the Alert 2 in above search query.
Please kindly let me know the settings for sending email for above two alerts in different time frames.
Regards,
Kishore
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ravikishore19 ,
sorry I forgot a par of the answer:
index=wineventlog host="ServerName" source="WinEventLog:Blue Prism" ("A database error occurred while executing the statement" OR "Resource successfully reconnected")
| eval type=if(searchmatch("A database error occurred while executing the statement"),"Alert 1","Alert 2")
| dedup type
| table _time typeif I correctly understood, the main search is the same and there'a a different string for condition 1 and 2.
In this way, you have the main search and the two conditions.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Giuseppe,
Thanks for the reply,
The two conditions which I have been provided are two different main searches for my monitoring.
So when the first search detects the server disconnection then we should get the email alert.
Same wise for second search we need to receive the alert after successful reconnection .
so we need to know how do we send these two alerts in different time frames by merging these main searches.
I request please kindly let me know the settings for the same.
Regards,
Kishore
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ravikishore19 ,
I continue to ununderstand why you want only one search, in my opinion, it's better to have two alerts!
anyway, with the above search you have both the conditions in one alert.
Using it you can detect both the conditions, what do you need a correlation between them?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Splunk team,
Can you please kindly suggest any idea on "
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
