Solved: How do I set an alert out of a search query?

gingersoftware · ‎07-19-2018

Hi,

I have this search query:

tag=NginxLogs host=www* |stats count by status|eventstats sum(count) as total|eval perc=round((count/total)*100,2)|where status="404" AND perc>5

In the result "Statistics" tab, the results I receive can be seen in the image I attached and here:

status 404
count 545
perc 16.55
total 3293

When I try to add an alert ("Save as Alert") for that query, I add all needed fields and action (send email), and on "Trigger alert when" (in Trigger Condition section) I choose "custom" and add the following line in the text box: "perc > 5" since I want the alert to send emails once the percentage is equal or above 5%.

Unfortunately, I receive the error: "In handler 'saved search': Cannot parse alert condition. Unknown search command 'perc'."

Not sure how to proceed.

Your help is appreciated.

Thanks,

jkat54 · ‎07-19-2018

Leave the trigger condition as “number of results is greater than 0” and use your full search:

tag=NginxLogs host=www* |stats count by status|eventstats sum(count) as total|eval perc=round((count/total)*100,2)|where status="404" AND perc>5

Your search is “doing” the trigger condition already with the where clause.

View solution in original post

jkat54 · ‎07-19-2018

Leave the trigger condition as “number of results is greater than 0” and use your full search:

tag=NginxLogs host=www* |stats count by status|eventstats sum(count) as total|eval perc=round((count/total)*100,2)|where status="404" AND perc>5

Your search is “doing” the trigger condition already with the where clause.

gingersoftware · ‎07-19-2018

Thanks, Works on Splunk.

How do I set an alert out of a search query?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!