Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can i add alert to my search query using trigger condition alert

neilfajardo15
Engager
‎10-05-2021 03:01 AM

Hi, Im setting up an alert for data flow the alert build is when the application is not running it will send us an alert and i use trigger condition in the alert. 
here is the search query 
| eval value1=if(like(sample, "value1"), 1,0), value2=if(like(sample, "value2"), 1,0), value3=if(like(sample, "value3"), 1,0)
| stats sum(value1) as VALUE1, sum(value2) as VALUE2, sum(value3) as VALUE3
| table VALUE1, VALUE2, VALUE3
 
and for the alert condition i use this command 
search VALUE1 = 0 

"0" because in the sum it indicates that the 0 means data is not flowing in splunk meaning the application is down 

Thanks in advance

Labels (1)
Labels
0 Karma
Reply

neilfajardo15
Engager
‎10-05-2021 03:55 AM

Hi thanks for the answer, but im still not able to receive alerts 😞 im using email alerts 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2021 04:40 AM

How have you set up your alerts?

0 Karma
Reply

neilfajardo15
Engager
‎10-05-2021 04:59 AM

here is my original query
| eval amd-eu1=if(like(namespace, "amd-eu1"), 1,0),
amd-eu2=if(like(namespace, "amd-eu2"), 1,0), amd-eu3=if(like(namespace, "amd-eu3"), 1,0), amd-eu4=if(like(namespace, "amd-eu4"), 1,0),
amd-eu5=if(like(namespace, "amd-eu5"), 1,0), amd-ap1=if(like(namespace, "amd-ap1"), 1,0), amd-am1=if(like(namespace, "amd-am1"), 1,0)
| stats sum(amd-eu1) as AMD_EU1, sum(amd-eu2) as AMD_EU2, sum(amd-eu3) as AMD_EU3, sum(amd-eu4) as AMD_EU4, sum(amd-eu5) as AMD_EU5, sum(amd-ap1) as AMD_AP1, sum(amd-am1) as AMD_AM1

i have remove the table 

0 Karma
Reply

neilfajardo15
Engager
‎10-05-2021 04:44 AM

I use this and it is realtime 

neilfajardo15_0-1633434243428.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2021 05:13 AM

Rather than custom, can you use number of results returned by the search?

0 Karma
Reply

neilfajardo15
Engager
‎10-05-2021 05:43 AM

But due to the stats sum and the value inside it a table will be created then it will be a result for the search 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2021 05:53 AM

Put the where as part of your search rather than the custom condition on the alert

0 Karma
Reply

neilfajardo15
Engager
‎10-05-2021 11:08 PM

Hi, Sorry for the late reply the alert works but it was spamming a lot of mail and also even though the data is flowing it is still alerting 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2021 03:13 AM

You might want to use 

| where VALUE1=0

then you can alert on whether there are any results or not

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...