Solved: Re: How do I make an alert that triggers when the ...

paulalbert · ‎09-17-2018

Alert should be triggered when count is greater than 5 but also include records that don't trigger that alert

I want my alert to return 6 fields, but only in cases where six or more of them are where isToday = 1. This alert should also include cases where isToday = 0.

How can I do this?

Thanks!

harsmarvania57 · ‎09-18-2018

Hi @paulalbert,

You can try below query

<yourquery>
| stats count(eval(if(diff1 < 3600*24*1, 1, null()))) as isToday by CWID, employeeStartDate, sn, givenName, employeeID, loginStatus
| eventstats sum(eval(if(isToday="1",1,0))) AS cn_isToday
| table CWID, empStartDate, sn, givenName, empID, loginStatus, isToday, cn_isToday

and then schedule alert with Alert Condition -> Trigger alert when -> Custom -> search cn_isToday >= 6

View solution in original post

harsmarvania57 · ‎09-18-2018

Hi @paulalbert,

You can try below query

<yourquery>
| stats count(eval(if(diff1 < 3600*24*1, 1, null()))) as isToday by CWID, employeeStartDate, sn, givenName, employeeID, loginStatus
| eventstats sum(eval(if(isToday="1",1,0))) AS cn_isToday
| table CWID, empStartDate, sn, givenName, empID, loginStatus, isToday, cn_isToday

and then schedule alert with Alert Condition -> Trigger alert when -> Custom -> search cn_isToday >= 6

paulalbert · ‎09-18-2018

Thank you so much!!

How do I make an alert that triggers when the count is greater than 5, but doesn't when it's less than one?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...