Solved: Re: How do I trigger an alert if a continuously nu...

DataOrg · ‎08-23-2018

For example.
i have a field which has repeated numbers. if a number is repeated more than 5 times, i need to clear an alert.

for example if number "3" repeats more than 5 times. i need to filter it.

1
1
1
2
3
3
3
3
5

sudosplunk · ‎08-23-2018

If you have a field called "X", then add something like below to your search and schedule your alert in a normal way.

...count(eval(X="3")) AS count_number BY sourcetype | where count_number > 5

View solution in original post

mstjohn_splunk · ‎08-23-2018

Hi @premranjithj, Were you able to test out either of these solutions? Did they work? If yes, please don't forget to resolve this post by clicking on "Accept". If you still need more help, please provide a comment with some feedback. Thanks!

sudosplunk · ‎08-23-2018

If you have a field called "X", then add something like below to your search and schedule your alert in a normal way.

...count(eval(X="3")) AS count_number BY sourcetype | where count_number > 5

DataOrg · ‎08-23-2018

3 is not a constant.. even if 2 was present more than 5 we need trigger alert. It will be like if a same number present more than 5 times . We need to trigger an alert

sudosplunk · ‎08-23-2018

Can you paste some sample (actual looking events) data. Please mask unwanted information. I want to look at the actual field with value.

DataOrg · ‎08-23-2018

below is the example. we need to refer column inc_value. if same number repeats more than 5 times. we need to trigger alert

datetime inc_value
24/08/2018 06:18 1
24/08/2018 06:20 1
24/08/2018 06:30 1
24/08/2018 06:33 1
24/08/2018 06:34 1
24/08/2018 06:38 1
24/08/2018 06:40 1
24/08/2018 06:45 1
24/08/2018 06:18 2
24/08/2018 06:21 2
24/08/2018 06:32 2
24/08/2018 06:22 3
24/08/2018 06:25 3
24/08/2018 06:39 3
24/08/2018 06:44 3
24/08/2018 06:21 4
24/08/2018 06:24 4
24/08/2018 06:31 4
24/08/2018 06:37 4
24/08/2018 06:42 4
24/08/2018 06:20 5
24/08/2018 06:21 5
24/08/2018 06:30 5
24/08/2018 06:31 5
24/08/2018 06:34 5
24/08/2018 06:35 5
24/08/2018 06:36 5
24/08/2018 06:37 5
24/08/2018 06:39 5
24/08/2018 06:40 5
24/08/2018 06:41 5
24/08/2018 06:42 5

sudosplunk · ‎08-24-2018

See if this works, ...| stats count by inc_value | where count > 5

Below is the run anywhere search:

| makeresults | eval new = "24/08/2018 06:18 1
24/08/2018 06:20 1
24/08/2018 06:30 1
24/08/2018 06:33 1
24/08/2018 06:34 1
24/08/2018 06:38 1
24/08/2018 06:40 1
24/08/2018 06:45 1
24/08/2018 06:18 2
24/08/2018 06:21 2
24/08/2018 06:32 2
24/08/2018 06:22 3
24/08/2018 06:25 3
24/08/2018 06:39 3
24/08/2018 06:44 3
24/08/2018 06:21 4
24/08/2018 06:24 4
24/08/2018 06:31 4
24/08/2018 06:37 4
24/08/2018 06:42 4
24/08/2018 06:20 5
24/08/2018 06:21 5
24/08/2018 06:30 5
24/08/2018 06:31 5
24/08/2018 06:34 5
24/08/2018 06:35 5
24/08/2018 06:36 5
24/08/2018 06:37 5
24/08/2018 06:39 5
24/08/2018 06:40 5
24/08/2018 06:41 5
24/08/2018 06:42 5"
| rex max_match=0 field=new "\S+\s\S+\s(?<inc>\d)"
| stats count by inc
| where count > 5

vishaltaneja070 · ‎08-23-2018

you can run a query with
| stats count(field) by field

Which will give you output like this:
field count
1 3
2 1
3 5
4 3

Then you can create a alert based on count field with count>5 and pass the value of $field$ in result.

How do I trigger an alert if a continuously number repeats more than 5 times?

below is the example. we need to refer column inc_value. if same number repeats more than 5 times. we need to trigger alert

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life