Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can i add alert to my search query using trigger condition alert

neilfajardo15
Engager
‎10-05-2021 03:01 AM

Hi, Im setting up an alert for data flow the alert build is when the application is not running it will send us an alert and i use trigger condition in the alert. 
here is the search query 
| eval value1=if(like(sample, "value1"), 1,0), value2=if(like(sample, "value2"), 1,0), value3=if(like(sample, "value3"), 1,0)
| stats sum(value1) as VALUE1, sum(value2) as VALUE2, sum(value3) as VALUE3
| table VALUE1, VALUE2, VALUE3
 
and for the alert condition i use this command 
search VALUE1 = 0 

"0" because in the sum it indicates that the 0 means data is not flowing in splunk meaning the application is down 

Thanks in advance

Labels (1)
Labels
0 Karma
Reply

neilfajardo15
Engager
‎10-05-2021 03:55 AM

Hi thanks for the answer, but im still not able to receive alerts 😞 im using email alerts 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2021 04:40 AM

How have you set up your alerts?

0 Karma
Reply

neilfajardo15
Engager
‎10-05-2021 04:59 AM

here is my original query
| eval amd-eu1=if(like(namespace, "amd-eu1"), 1,0),
amd-eu2=if(like(namespace, "amd-eu2"), 1,0), amd-eu3=if(like(namespace, "amd-eu3"), 1,0), amd-eu4=if(like(namespace, "amd-eu4"), 1,0),
amd-eu5=if(like(namespace, "amd-eu5"), 1,0), amd-ap1=if(like(namespace, "amd-ap1"), 1,0), amd-am1=if(like(namespace, "amd-am1"), 1,0)
| stats sum(amd-eu1) as AMD_EU1, sum(amd-eu2) as AMD_EU2, sum(amd-eu3) as AMD_EU3, sum(amd-eu4) as AMD_EU4, sum(amd-eu5) as AMD_EU5, sum(amd-ap1) as AMD_AP1, sum(amd-am1) as AMD_AM1

i have remove the table 

0 Karma
Reply

neilfajardo15
Engager
‎10-05-2021 04:44 AM

I use this and it is realtime 

neilfajardo15_0-1633434243428.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2021 05:13 AM

Rather than custom, can you use number of results returned by the search?

0 Karma
Reply

neilfajardo15
Engager
‎10-05-2021 05:43 AM

But due to the stats sum and the value inside it a table will be created then it will be a result for the search 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2021 05:53 AM

Put the where as part of your search rather than the custom condition on the alert

0 Karma
Reply

neilfajardo15
Engager
‎10-05-2021 11:08 PM

Hi, Sorry for the late reply the alert works but it was spamming a lot of mail and also even though the data is flowing it is still alerting 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2021 03:13 AM

You might want to use 

| where VALUE1=0

then you can alert on whether there are any results or not

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...