Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do you send an alert only when a condition is met consecutively?

thezen
Explorer
‎12-12-2018 10:38 PM

Hi,

I have the following alert set up: send an alert if there are more than 5 matching events for every server within the last 5 minutes.

Now, I need to update the alert such that it will be sent out only if the condition matches twice in a row; note that I can't just put the condition to alert when there are 10 events within the last 10m, since the idea is to only alert if the number of matching event is consistently above 5 every 5 minutes.

This is the closest query I can get, but I still can't get rid of the server, which doesn't satisfy the condition..

index=myindex source=logA | timechart usenull=f useother=f limit=0 span=5m count by SERVER

The above will neatly give stats for every 5 minute window for every server, so now I just need to somehow filter out the server that doesn't match the condition, so then I could create the alert to run every 10m to trigger when there's more than 1 event.

Appreciate any suggestions,

Tags (2)
0 Karma
Reply

macadminrohit
Contributor
‎12-13-2018 08:53 PM

Can you show the trigger search that you already have, i do the similar stuff in our environment. The logic is to mark each event after timechart as greater than 5 or not . and then finally calculating the number of events where you have yes. Below is the sample search, let us know if it works for you. I can help further.

| makeresults count=10 
| eval count=1 
| timechart span=5m count
| eval server_count_gt_1=if(count>5,"Yes","No") 
| timechart span=10m count(eval(server_count_gt_1="Yes")) as count_more_than2
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-13-2018 05:17 AM

How about index=myindex source=logA | timechart usenull=f useother=f limit=0 span=5m count by SERVER | where count > 4?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...