Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create Alerts

ncbshiva
Communicator
‎05-09-2013 10:31 PM

Hi

This is my search query-source=***************************************** | table ORDERID "Delay(in days)"

This is the result of the search query
ORDERID Delay(in days)
1 269150751 4.00
2 269126721 7.00
3 269157489 21.00
4 269153074 114.00
5 269159590 217.00
6 269110381 118.00
7 269163859 24.00

I want to create Alerts for those ORDERIDs whose Delay is greater than 100.

Please tell what type of alert i should select and important parameters

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marellasunil
Communicator
‎05-10-2013 03:12 AM

You can use if condition as well,
..| eval delayalert=if(Delay>100, "Delay for the ".ORDERID." more than 100days", "OK") | table ORDERID, Delay, delayalert

In the alert, there is a dropdown in the condition, select "if custom condition is met" & type - where delayalert!="OK".

It sends an e-mail with the delayalert which ORDERID is taking more than 100days

View solution in original post

Reply
Solved! Jump to solution

marellasunil
Communicator
‎05-10-2013 03:14 AM

The above one sends an e-mail only when the ORDERID is more than 100. otherwise it do't send the e-mail. If u want the e-mail to be sent always irrespectibe of the status, schdule the e-mail.

Reply
Solved! Jump to solution
Solution

marellasunil
Communicator
‎05-10-2013 03:12 AM

You can use if condition as well,
..| eval delayalert=if(Delay>100, "Delay for the ".ORDERID." more than 100days", "OK") | table ORDERID, Delay, delayalert

In the alert, there is a dropdown in the condition, select "if custom condition is met" & type - where delayalert!="OK".

It sends an e-mail with the delayalert which ORDERID is taking more than 100days

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎05-10-2013 12:18 AM

You can add a filter to your search to only show those ORDERID's that are more than 100 days delayed.

your base search | where "Delays (in days)">100|table ORDERID "Delays (in days)"

Then set a schedule for the search and alert condition "always". This will be more like a scheduled report than an alert.

0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...