Hello,
I need to set an alert on a scheduled search when the Total of the rows increases and need help making the custom condition. I tried doing "if number of events rises by 1" but it didn't seem to work.
I was thinking something along the lines of:
search Total rises by 1
Trigger alert conditions , works like below,
'Number of events' is equal to | greater than| lesser than|
Say if you give the values as greater than '0' , if your search query returns ,
0 result - it will not trigger alert
1 result - it will trigger alert
http://answers.splunk.com/answers/6843/alert-when-rises-by-issue
check out this...
I need to use the 'rises by' function though.