Solved: Creating an alert

amirarsalan · ‎11-14-2019

Hi! Need some help with an alert. I just created an alert. Look at the attached pic. I want it to look today's results and based on my limit send an alert. Right now it check 24 hours back each 5 minutes. But I want it to check today's result and based on that send an alert. Then i wondering if i can make anything to send an update when the alert is solved.

Can someone assist plz

gfreitas · ‎11-15-2019

Use on the Earliest: @d and for latest use: now
That is the equivalent to today

View solution in original post

gfreitas · ‎11-15-2019

Use on the Earliest: @d and for latest use: now
That is the equivalent to today

gcusello · ‎11-14-2019

Hi @amirarsalan,
could you share your search?
because with the interface you inserted in the question you manage the execution of the check, but the conditions to check are in the main search not here.

Ciao.
Giuseppe

amirarsalan · ‎11-15-2019

index =xxxxx account_id event_name = "xxxxxx" brand = "xxxxx"
| lookup currency_eur currency AS currency OUTPUT currency_to_eur AS currency_to_eur

| eval xxxxx = coalesce((bonus_amount + amount),0)
| eval xxxxx_EUR = IF(market = "DK", (Bonus_Amt*0.134), Bonus_Amt*currency_to_eur)
| bin _time span=15m
| eval Hour = STRFTIME(_time, "%H:%M")
| eval Day = STRFTIME(_time,"%Y-%m-%d")
| eval where_clause = IF("GB" = "-All-", "%%", "GB")
| where market LIKE where_clause
| stats SUM(Bonus_Released_EUR) AS "TOTALR"
| search TOTALR>16500

Creating an alert

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation