Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you send an alert only when a condition is met consecutively?

thezen
Explorer
‎12-12-2018 10:38 PM

Hi,

I have the following alert set up: send an alert if there are more than 5 matching events for every server within the last 5 minutes.

Now, I need to update the alert such that it will be sent out only if the condition matches twice in a row; note that I can't just put the condition to alert when there are 10 events within the last 10m, since the idea is to only alert if the number of matching event is consistently above 5 every 5 minutes.

This is the closest query I can get, but I still can't get rid of the server, which doesn't satisfy the condition..

index=myindex source=logA | timechart usenull=f useother=f limit=0 span=5m count by SERVER

The above will neatly give stats for every 5 minute window for every server, so now I just need to somehow filter out the server that doesn't match the condition, so then I could create the alert to run every 10m to trigger when there's more than 1 event.

Appreciate any suggestions,

Tags (2)
0 Karma
Reply

macadminrohit
Contributor
‎12-13-2018 08:53 PM

Can you show the trigger search that you already have, i do the similar stuff in our environment. The logic is to mark each event after timechart as greater than 5 or not . and then finally calculating the number of events where you have yes. Below is the sample search, let us know if it works for you. I can help further.

| makeresults count=10 
| eval count=1 
| timechart span=5m count
| eval server_count_gt_1=if(count>5,"Yes","No") 
| timechart span=10m count(eval(server_count_gt_1="Yes")) as count_more_than2
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-13-2018 05:17 AM

How about index=myindex source=logA | timechart usenull=f useother=f limit=0 span=5m count by SERVER | where count > 4?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...