Alerting

How to create an alert with the condition "where field > n AND field < m" AND show the raw events when clicking on the alert?

burwell
SplunkTrust
SplunkTrust

We want to run an alert like this:

1) index=foo condition=bar | stats count as errors | where errors > 0 AND errors < 1000

2) The alert has an action to send to a mailing list.

3) When we click on the alert, the users should see the actual raw events, not the stats count in the Statistics tab.

4) We also run a script

The reason for the > 0 and < 1000 is that we have other alerts for > 1000 and we do different actions.

The problem I can't solve is that when I set things up, when people click on the link in email, they see the statistics tab and don't see the raw events. They have to rerun in Verbose mode to see the raw events.

If it was just > 0, I could eliminate the stats count and say that the condition is > 0 events and then clicking on the link would get us to the raw events.

0 Karma
1 Solution

burwell
SplunkTrust
SplunkTrust

Got the answer.

The trick is to use values of _raw and then use mvexpand to make each event on a separate line. The output is sweet.

index=foo condition=bar | stats values(_raw) AS raw count as errors | where errors > 0 AND errors < 1000 | table errors raw | mvexpand raw

View solution in original post

0 Karma

burwell
SplunkTrust
SplunkTrust

Got the answer.

The trick is to use values of _raw and then use mvexpand to make each event on a separate line. The output is sweet.

index=foo condition=bar | stats values(_raw) AS raw count as errors | where errors > 0 AND errors < 1000 | table errors raw | mvexpand raw

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...