How do I configure my alert conditions and proper ...

manja054 · ‎08-19-2015

My search:

host=* sourcetype=* 
| stats last(Cnt) as CurrentQueueLength by _time 
| appendcols [ | inputcsv Langdon_Inbox ] 
| fillnull CurrentQueueLength 
| where CurrentQueueLength=LastAlertedQueue+5
| eval host=*| eval sourcetype=* | eval difference=CurrentQueueLength-LastAlertedQueue  | eval exception=*  | fields host sourcetype CurrentQueueLength LastAlertedQueue difference exception

1) if LastAlertedQueue(CSV) is greater than Zero, it should alert once and after alerting once, it shouldn't alert till 00:00 AM. (I am writing results from 1st alert in a CSV file)

2) if CurrentQueueLength=LastAlertedQueue(CSV)+5 , it should trigger an alert once and after alerting once, it shouldn't alert me till 00:00 AM

3) if CurrentQueueLength=LastAlertedQueue(CSV)+10, it should trigger an alert once and after alerting once, it should not alert me till 00:00AM

I have to run the search every 15 min.

Please help me to get the logic right

frobinson_splun · ‎08-19-2015

Hello @manja054,
I am a tech writer here at Splunk and I'd like to help with your question. I wanted to suggest reading this documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.4/Alert/Configuringalertsinsavedsearches.conf#Config...

This describes using the savedsearches.conf file to set up alerts and alert conditions. You might also want to check out the alert_actions.conf file for additional alert configuration options.

I hope this helps! Please let me know if you have further questions and we can continue working on this.

Best,
@frobinson_splunk

How do I configure my alert conditions and proper throttling for my search?

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...