Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create Alerts

ncbshiva
Communicator
‎05-09-2013 10:31 PM

Hi

This is my search query-source=***************************************** | table ORDERID "Delay(in days)"

This is the result of the search query
ORDERID Delay(in days)
1 269150751 4.00
2 269126721 7.00
3 269157489 21.00
4 269153074 114.00
5 269159590 217.00
6 269110381 118.00
7 269163859 24.00

I want to create Alerts for those ORDERIDs whose Delay is greater than 100.

Please tell what type of alert i should select and important parameters

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marellasunil
Communicator
‎05-10-2013 03:12 AM

You can use if condition as well,
..| eval delayalert=if(Delay>100, "Delay for the ".ORDERID." more than 100days", "OK") | table ORDERID, Delay, delayalert

In the alert, there is a dropdown in the condition, select "if custom condition is met" & type - where delayalert!="OK".

It sends an e-mail with the delayalert which ORDERID is taking more than 100days

View solution in original post

Reply
Solved! Jump to solution

marellasunil
Communicator
‎05-10-2013 03:14 AM

The above one sends an e-mail only when the ORDERID is more than 100. otherwise it do't send the e-mail. If u want the e-mail to be sent always irrespectibe of the status, schdule the e-mail.

Reply
Solved! Jump to solution
Solution

marellasunil
Communicator
‎05-10-2013 03:12 AM

You can use if condition as well,
..| eval delayalert=if(Delay>100, "Delay for the ".ORDERID." more than 100days", "OK") | table ORDERID, Delay, delayalert

In the alert, there is a dropdown in the condition, select "if custom condition is met" & type - where delayalert!="OK".

It sends an e-mail with the delayalert which ORDERID is taking more than 100days

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎05-10-2013 12:18 AM

You can add a filter to your search to only show those ORDERID's that are more than 100 days delayed.

your base search | where "Delays (in days)">100|table ORDERID "Delays (in days)"

Then set a schedule for the search and alert condition "always". This will be more like a scheduled report than an alert.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...