Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to create Alerts

ncbshiva
Communicator
‎05-09-2013 10:31 PM

Hi

This is my search query-source=***************************************** | table ORDERID "Delay(in days)"

This is the result of the search query
ORDERID Delay(in days)
1 269150751 4.00
2 269126721 7.00
3 269157489 21.00
4 269153074 114.00
5 269159590 217.00
6 269110381 118.00
7 269163859 24.00

I want to create Alerts for those ORDERIDs whose Delay is greater than 100.

Please tell what type of alert i should select and important parameters

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marellasunil
Communicator
‎05-10-2013 03:12 AM

You can use if condition as well,
..| eval delayalert=if(Delay>100, "Delay for the ".ORDERID." more than 100days", "OK") | table ORDERID, Delay, delayalert

In the alert, there is a dropdown in the condition, select "if custom condition is met" & type - where delayalert!="OK".

It sends an e-mail with the delayalert which ORDERID is taking more than 100days

View solution in original post

Reply
Solved! Jump to solution

marellasunil
Communicator
‎05-10-2013 03:14 AM

The above one sends an e-mail only when the ORDERID is more than 100. otherwise it do't send the e-mail. If u want the e-mail to be sent always irrespectibe of the status, schdule the e-mail.

Reply
Solved! Jump to solution
Solution

marellasunil
Communicator
‎05-10-2013 03:12 AM

You can use if condition as well,
..| eval delayalert=if(Delay>100, "Delay for the ".ORDERID." more than 100days", "OK") | table ORDERID, Delay, delayalert

In the alert, there is a dropdown in the condition, select "if custom condition is met" & type - where delayalert!="OK".

It sends an e-mail with the delayalert which ORDERID is taking more than 100days

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎05-10-2013 12:18 AM

You can add a filter to your search to only show those ORDERID's that are more than 100 days delayed.

your base search | where "Delays (in days)">100|table ORDERID "Delays (in days)"

Then set a schedule for the search and alert condition "always". This will be more like a scheduled report than an alert.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...