Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create Alerts

ncbshiva
Communicator
‎05-09-2013 10:31 PM

Hi

This is my search query-source=***************************************** | table ORDERID "Delay(in days)"

This is the result of the search query
ORDERID Delay(in days)
1 269150751 4.00
2 269126721 7.00
3 269157489 21.00
4 269153074 114.00
5 269159590 217.00
6 269110381 118.00
7 269163859 24.00

I want to create Alerts for those ORDERIDs whose Delay is greater than 100.

Please tell what type of alert i should select and important parameters

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marellasunil
Communicator
‎05-10-2013 03:12 AM

You can use if condition as well,
..| eval delayalert=if(Delay>100, "Delay for the ".ORDERID." more than 100days", "OK") | table ORDERID, Delay, delayalert

In the alert, there is a dropdown in the condition, select "if custom condition is met" & type - where delayalert!="OK".

It sends an e-mail with the delayalert which ORDERID is taking more than 100days

View solution in original post

Reply
Solved! Jump to solution

marellasunil
Communicator
‎05-10-2013 03:14 AM

The above one sends an e-mail only when the ORDERID is more than 100. otherwise it do't send the e-mail. If u want the e-mail to be sent always irrespectibe of the status, schdule the e-mail.

Reply
Solved! Jump to solution
Solution

marellasunil
Communicator
‎05-10-2013 03:12 AM

You can use if condition as well,
..| eval delayalert=if(Delay>100, "Delay for the ".ORDERID." more than 100days", "OK") | table ORDERID, Delay, delayalert

In the alert, there is a dropdown in the condition, select "if custom condition is met" & type - where delayalert!="OK".

It sends an e-mail with the delayalert which ORDERID is taking more than 100days

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎05-10-2013 12:18 AM

You can add a filter to your search to only show those ORDERID's that are more than 100 days delayed.

your base search | where "Delays (in days)">100|table ORDERID "Delays (in days)"

Then set a schedule for the search and alert condition "always". This will be more like a scheduled report than an alert.

0 Karma
Reply
Get Updates on the Splunk Community!

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives

Splunk Observability Cloud continues to evolve, empowering engineering and operations teams with advanced ...