Alerting

How do one setup an alert to send email for when the temperature goes up.

babs101
Path Finder

I have got the following parameter defined within Splunk report which works perfectly well for temperature detection !

index=main sourcetype="temperature" | head 10 | rex "UPS2 Cool: (?[^ ]+)" | stats avg(COOL)

I want to create an alert that will send am email when the cool temperature on Splunk gets above 30 degrees
Do anyone have an idea how to set this up?

Tags (1)
0 Karma

MHibbin
Influencer

You will need to add a condition to the end of your current search. Add the following and test that it only shows the values above 30.

yoursearch | rename avg(COOL) AS avgcool|search avgcool>30

-or-

yoursearch | rename avg(COOL) AS avgcool|where avgcool>30

Once you have run that search and verified the results. You can do this from the flashtimeline (where you will be probably testing this command), by selecting "Create" dropdown button (on the right-hand side of your view by default) and then "Alert". This will show a pop-up containing you search. You should then follow the setup selecting your time period and alert method (Alert Docs:HERE and HERE)

You will also need to configure you email settings, which can be done through the Manager and then "System Settings" (Email Docs: HERE)

Hope this helps,

Regards,

MHibbin

EDIT: Modified the searches above

0 Karma

babs101
Path Finder

Hi when I this the command it worked

I got this result
4/27/12
11:07:00.000 AM

UPS1 Warm: 28 UPS2 Cool: 30

this is the likely pattern I am looking for,but How can I filter this to only display UPS2 Cool: 30 as the final result without the UPS1 Warm: 28 ?

0 Karma

MHibbin
Influencer

OK in that case, you would probably need to do something like..

index=main sourcetype="temperature" | rex "UPS2 Cool: (?[^ ]+)" | where cool>29 | head 1

0 Karma

babs101
Path Finder

Sorry I miss one of your questions, I want to be alerted when the cool temperature is >29 but I do not want it to do the stats avg(CooL) before given the result.

0 Karma

babs101
Path Finder

Thanks for this information I am even wondering if I can make it simple in this format index="main" sourcetype="temperature" "30"
but I ran into problem with the evaluation part of it I just want to say where cool>29 than it would not have to pick the warm. I am thinking using the stat part of this could cause some time delay please what do you think.

0 Karma

MHibbin
Influencer

As these are two different values I would think it might be better to have two searches... i.e. one for "cool" and one for "warm", then you could have devices for example and have temperature by device... e.g.

index=main sourcetype="temperature" | rex "UPS1 Warm: (?[^ ]+) | stats avg(warm) by host| rename avg(warm) as avgwarm | where avgwarm>29

and then another for avgcool, for a lower temperature.

0 Karma

MHibbin
Influencer

So you wish to be alerted when the "cool" temperature is above 19 OR "warm" is above 29? If so...

index=main sourcetype="temperature" | rex "UPS1 Warm: (?[^ ]+) UPS2 Cool: (?[^ ]+)" | stats avg(COOL), avg(WARM)|rename avg(COOL) AS avgcool, avg(WARM) as avgwarm | where avgcool>19 OR avgwarm>29

Let me know if this is what you meant?

0 Karma

MHibbin
Influencer

Thanks very much! - The main reason I mentioned this, is so the community can both judge how useful the answer was, and whether a question still requires input.

OK, I've played around with some of my data, not exactly the same...

0 Karma

babs101
Path Finder

I want to give you 100 point but to my surprise the points slid bar stops at 51.

0 Karma

babs101
Path Finder

I clicked on the acceptable and it says the question already has an acceptable answear.

0 Karma

babs101
Path Finder

The steps you've stated above worked. the additional question I was asking you is could one also do it this way using this parameter:
index=main sourcetype="temperature" | rex "UPS1 Warm: (?[^ ]+) UPS2 Cool: (?[^ ]+)"
?
I am happy your step above worked.

0 Karma

babs101
Path Finder

I guess I can use the parameter that works since they both using the same sourcetype I should still get the same results and I just need to set mine threshold to >29 since I want my alert when it hits 30 degrees
index=main sourcetype="temperature" | head 10 | rex "UPS2 Cool: (?[^ ]+)" | stats avg(COOL) | rename avg(COOL) AS avgcool | where avgcool>29

I hope this is useful to others out there. not if its useful also my temperature data came from cacti.

0 Karma

babs101
Path Finder

Thanks very much MHibbin for the tip. I should not have a problem setting this up in a real time I guess.
I have now combined the temperature threshold parameters
index=main sourcetype="temperature" | rex "UPS1 Warm: (?[^ ]+) UPS2 Cool: (?[^ ]+)"

Is it possible to use the your steps above as I tried it as stated below but failed.

index=main sourcetype="temperature" | rex "UPS1 Warm: (?[^ ]+) UPS2 Cool: (?[^ ]+)" | rename avg(COOL) AS avgcool | search avgcool>19, rename avg(WARM) AS avgwarm | search avgwarm>27

0 Karma

MHibbin
Influencer

OK, does that mean this question has been resolved? - Or is there something else that needs sorting (my reading of this, is that you have it working).

If it has answered your question, and there are no more questions, can you mark the answer as accepted. Thanks 🙂

0 Karma

babs101
Path Finder

so I went back to your steps and reduced the temperature threshold at which I expect an alert to be send to 19
index=main sourcetype="temperature" | head 10 | rex "UPS2 Cool: (?[^ ]+)" | stats avg(COOL) | rename avg(COOL) AS avgcool | where avgcool>19
and I got a result 20.0000

0 Karma

babs101
Path Finder

I tried both steps above, and I got a better result as it was showing 10 matching events with the linear bar graph.but in the result field I got "0 result in the last 30 days "from 12:00:00 AM March 14 to 11:55:32 AM April 13, 2012" I decided to check the threshold of my warm and cool temperature by doing the following:
ndex=main sourcetype="temperature" | head 10 | rex "UPS2 Cool: (?[^ ]+)" | stats avg(COOL)
index=main sourcetype="temperature" | head 10 | rex "UPS1 Warm: (?[^ ]+)" | stats avg(WARM)

mine stats avg(COOL) temp is 20.0000
mine stats avg(WARM) temp is 28.0000

0 Karma

MHibbin
Influencer

note that I used added the rename command and changed the final function.

0 Karma

MHibbin
Influencer

OK sorry I just checked, apparently Splunk doesn't like the "()" in the search... try this...

index=main sourcetype="temperature" | head 10 | rex "UPS2 Cool: (?[^ ]+)" | stats avg(COOL) | rename avg(COOL)AS avgcool | where avgcool>30

-OR-

index=main sourcetype="temperature" | head 10 | rex "UPS2 Cool: (?[^ ]+)" | stats avg(COOL) | rename avg(COOL) AS avgcool |search avgcool>30

0 Karma

babs101
Path Finder

shows the following error
"Error in 'where' command: The 'avg' function is unsupported or undefined.

is there any thing I am doing wrong in terms of the parameter I am passing?

0 Karma

babs101
Path Finder

I have now tried to test the above conditions as follows
index=main sourcetype="temperature" | head 10 | rex "UPS2 Cool: (?[^ ]+)" | stats avg(COOL) |search avg(COOL)>30
and it generated the following errors.
"Error in 'search' command: Unable to parse the search comparator '>' has an invalid term on the left hand side".
and
index=main sourcetype="temperature" | head 10 | rex "UPS2 Cool: (?[^ ]+)" | stats avg(COOL) |where avg(COOL)>30

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...