Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I set an alert out of a search query?

gingersoftware
New Member
‎07-19-2018 04:32 AM

Hi,

I have this search query:

tag=NginxLogs host=www* |stats count by status|eventstats sum(count) as total|eval perc=round((count/total)*100,2)|where status="404" AND perc>5

In the result "Statistics" tab, the results I receive can be seen in the image I attached and here:

status 404
count 545
perc 16.55
total 3293

When I try to add an alert ("Save as Alert") for that query, I add all needed fields and action (send email), and on "Trigger alert when" (in Trigger Condition section) I choose "custom" and add the following line in the text box: "perc > 5" since I want the alert to send emails once the percentage is equal or above 5%.

Unfortunately, I receive the error: "In handler 'saved search': Cannot parse alert condition. Unknown search command 'perc'."

Not sure how to proceed.

Your help is appreciated.

Thanks,

alt text

Tags (2)
Preview file
87 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎07-19-2018 04:43 AM

Leave the trigger condition as “number of results is greater than 0” and use your full search:

tag=NginxLogs host=www* |stats count by status|eventstats sum(count) as total|eval perc=round((count/total)*100,2)|where status="404" AND perc>5

Your search is “doing” the trigger condition already with the where clause.

View solution in original post

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎07-19-2018 04:43 AM

Leave the trigger condition as “number of results is greater than 0” and use your full search:

tag=NginxLogs host=www* |stats count by status|eventstats sum(count) as total|eval perc=round((count/total)*100,2)|where status="404" AND perc>5

Your search is “doing” the trigger condition already with the where clause.

Reply
Solved! Jump to solution

gingersoftware
New Member
‎07-19-2018 05:35 AM

Thanks, Works on Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...