Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I configure my alert conditions and proper throttling for my search?

manja054
Explorer
‎08-19-2015 04:19 AM

My search:

host=* sourcetype=* 
| stats last(Cnt) as CurrentQueueLength by _time 
| appendcols [ | inputcsv Langdon_Inbox ] 
| fillnull CurrentQueueLength 
| where CurrentQueueLength=LastAlertedQueue+5
| eval host=*| eval sourcetype=* | eval difference=CurrentQueueLength-LastAlertedQueue  | eval exception=*  | fields host sourcetype CurrentQueueLength LastAlertedQueue difference exception

1) if LastAlertedQueue(CSV) is greater than Zero, it should alert once and after alerting once, it shouldn't alert till 00:00 AM. (I am writing results from 1st alert in a CSV file)

2) if CurrentQueueLength=LastAlertedQueue(CSV)+5 , it should trigger an alert once and after alerting once, it shouldn't alert me till 00:00 AM

3) if CurrentQueueLength=LastAlertedQueue(CSV)+10, it should trigger an alert once and after alerting once, it should not alert me till 00:00AM

I have to run the search every 15 min.

Please help me to get the logic right

0 Karma
Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎08-19-2015 03:57 PM

Hello @manja054,
I am a tech writer here at Splunk and I'd like to help with your question. I wanted to suggest reading this documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.4/Alert/Configuringalertsinsavedsearches.conf#Config...

This describes using the savedsearches.conf file to set up alerts and alert conditions. You might also want to check out the alert_actions.conf file for additional alert configuration options.

I hope this helps! Please let me know if you have further questions and we can continue working on this.

Best,
@frobinson_splunk

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...