I am using the Manager to set-up a saved search/alert. Splunk runs a script every so often with an output like this:

Active channel: primary channel

If "primary" ever changes to "backup", it alerts us via e-mail. "primary" is in a field called "ent_status".

In the manager, I created a search like this:

sourcetype="echk" ent_channel=backup 

Using the menus-for-dummies, I told it "if number of events is greater than 0", send us an e-mail. Works great.

But now I may be using a third party app to throttle the alerts (see my other question from earlier this morning). I need to re-format my alert to put into the "if custom condition is met" field.

I'm having trouble doing this because "ent_channel" isn't an integer; I don't know how to do a compare. How do I translate "if number of events is greater than zero" into a search/alert command?

I have the feeling I'm making this harder than it really is.

Thank you very much.