Alerting
Highlighted

How to pass one alert results to another alert?

Builder

Hi,

In first alert query it produce a list of ID's which need to be passed to another alert query. will it be possible to implement like this.

First Alert Query:

| tstats  values(MXTIMING.ID) as IDmax(MXTIMING.Memory) AS Memory FROM datamodel=MXTIMING_V9 WHERE host=*   AND MXTIMING.Memory>5000 GROUPBY  source | table ID
   | table ID

Second Alert Query:

| tstats max(MXTIMING.Memory) AS VmPeak FROM datamodel=MXTIMING_V9 WHERE  MXTIMING.Context+Command="*" AND MXTIMING.ID IN  ("ID1" "ID2" "ID3" "ID4" "ID5" )  GROUPBY MXTIMING.Context+Command MXTIMING.Time _time span=1s source
0 Karma
Highlighted

Re: How to pass one alert results to another alert?

SplunkTrust
SplunkTrust

Use a subsearch. Remember that subsearches execute first and pass their results to the parent search.

| tstats max(MXTIMING.Memory) AS VmPeak FROM datamodel=MXTIMING_V9 WHERE  MXTIMING.Context+Command="*" AND
   [| tstats  values(MXTIMING.ID) as MXTIMING.ID max(MXTIMING.Memory) AS Memory FROM datamodel=MXTIMING_V9 WHERE host=* AND MXTIMING.Memory>5000 GROUPBY source 
   | fields MXTIMING.ID | format ] 
GROUPBY MXTIMING.Context+Command MXTIMING.Time _time span=1s source 
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma