Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Conditional Alerting help

hoopydave
Path Finder
‎05-08-2019 08:49 AM

Hey all. I'm using Splunk 6.4.10. My search is:
index=myindex host=myhost result error code 100
Trigger Condition: Number of Results is > 0
The Cron schedule is every 5th minute

I'm expecting the results should be 0. I only want to be alerted if the trigger condition is met three times in succession. Many times the condition will correct itself, so I don't want an alert every time, only after the third time.

So to summarize:
I need to setup a conditional alert with the following criteria:
The number of results returned from my search must be greater than 0
Only generate an alert if the trigger condition happens three times in succession. If at any time the results go back to 0 in that time frame, the count resets.

0 Karma
Reply

dmarling
Builder
‎05-08-2019 08:57 AM

It sounds like you only want it to alert if there are three consecutive 5 minute buckets of > 0 results, which would mean we would only need to adjust the query and you can leave everything else the same:

index=myindex host=myhost result error code 100 earliest=-15m latest=now 
| timechart span=5m count 
| search count>0
| stats count 
| search count=3

The above query is now performing a 15 minute look back and performing a count of results from the last 3 5 minute buckets. The subsequent search is filtering out the ones that had zero results. The last stats is counting the amount of rows after that filter and the final search will only return results to trigger an alert if the count equals 3. That should satisfy your requirements.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...