Alerting

How do I configure my alert conditions and proper throttling for my search?

manja054
Explorer

My search:

host=* sourcetype=* 
| stats last(Cnt) as CurrentQueueLength by _time 
| appendcols [ | inputcsv Langdon_Inbox ] 
| fillnull CurrentQueueLength 
| where CurrentQueueLength=LastAlertedQueue+5
| eval host=*| eval sourcetype=* | eval difference=CurrentQueueLength-LastAlertedQueue  | eval exception=*  | fields host sourcetype CurrentQueueLength LastAlertedQueue difference exception

1) if LastAlertedQueue(CSV) is greater than Zero, it should alert once and after alerting once, it shouldn't alert till 00:00 AM. (I am writing results from 1st alert in a CSV file)

2) if CurrentQueueLength=LastAlertedQueue(CSV)+5 , it should trigger an alert once and after alerting once, it shouldn't alert me till 00:00 AM

3) if CurrentQueueLength=LastAlertedQueue(CSV)+10, it should trigger an alert once and after alerting once, it should not alert me till 00:00AM

I have to run the search every 15 min.

Please help me to get the logic right

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hello @manja054,
I am a tech writer here at Splunk and I'd like to help with your question. I wanted to suggest reading this documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.4/Alert/Configuringalertsinsavedsearches.conf#Config...

This describes using the savedsearches.conf file to set up alerts and alert conditions. You might also want to check out the alert_actions.conf file for additional alert configuration options.

I hope this helps! Please let me know if you have further questions and we can continue working on this.

Best,
@frobinson_splunk

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...