Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Custom request on Splunk alerting

manja054
Explorer
‎08-13-2015 03:25 AM

What am i looking for: My search results contains Count field.

1) if Count greater than Zero should alert once and after alerting once it shouldn't alert till 00:00 AM. (I am writing results from 1st alert in a csv file)

2) if number increases by 5 from that of no. in CSV (csv+5), i should trigger an alert once and after alerting once it shouldn't alert till 00:00 AM

3) if number increases by 10 from that of no. in CSV (Csv+10), i should trigger an alert once and after alerting once it shouldnot alert till 00:00AM

I have to run the query for every 15 min.

Tags (1)
0 Karma
Reply

FritzWittwer_ol
Contributor
‎08-13-2015 06:43 AM

I would try

...your search... 

| eval ts=strftime(_time, "%x") | fields ts
| lookup your_search_key ts OUTPUTNEW count_from_ts
| eval count_from_csv=if(isnull(count_from_csv),-4.count_from_csv)
| eval new=if(count>=count_from_csv+5,1,0)
| search new=1
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...