Alerting

How do I make an alert that triggers when the count is greater than 5, but doesn't when it's less than one?

paulalbert
Engager

Alert should be triggered when count is greater than 5 but also include records that don't trigger that alert

I want my alert to return 6 fields, but only in cases where six or more of them are where isToday = 1. This alert should also include cases where isToday = 0.

How can I do this?

Thanks!

alt text

Tags (3)
0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi @paulalbert,

You can try below query

<yourquery>
| stats count(eval(if(diff1 < 3600*24*1, 1, null()))) as isToday by CWID, employeeStartDate, sn, givenName, employeeID, loginStatus
| eventstats sum(eval(if(isToday="1",1,0))) AS cn_isToday
| table CWID, empStartDate, sn, givenName, empID, loginStatus, isToday, cn_isToday

and then schedule alert with Alert Condition -> Trigger alert when -> Custom -> search cn_isToday >= 6

View solution in original post

harsmarvania57
SplunkTrust
SplunkTrust

Hi @paulalbert,

You can try below query

<yourquery>
| stats count(eval(if(diff1 < 3600*24*1, 1, null()))) as isToday by CWID, employeeStartDate, sn, givenName, employeeID, loginStatus
| eventstats sum(eval(if(isToday="1",1,0))) AS cn_isToday
| table CWID, empStartDate, sn, givenName, empID, loginStatus, isToday, cn_isToday

and then schedule alert with Alert Condition -> Trigger alert when -> Custom -> search cn_isToday >= 6

View solution in original post

paulalbert
Engager

Thank you so much!!

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.