Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- How to set up a scheduled alert to send an email i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to set up a scheduled alert to send an email if I do not get a response or acknowledgement for a particular ID?
Hi,
I have data like this:
student id request type
13030 ack
13030 response
13030 request
14040 request
14040 response
14040 ack
So I need to schedule a search to run every 15 minutes, and send an email alert when I do not get any response or acknowledgement for a particular student id, including the student and their multiple requests and responses.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi prashanthberam,
you should create a lookup with your student IDs (e.g.: StudentID.csv) and then run a search like this:
| inputlookup StudentID.csv
| eval count=0, StudentID=lower(StudentID)
| append [ search index=yourindex | StudentID=lower(StudentID) | stats count by StudentID ]
| stats sum(count) AS Total BY StudentID
| where Total=0
In this way you have all the StudentsID that aren't present in search results.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming your data has student_id and request_type fields.
your search query | stats count as RequestCount values(request_type) as RequestTypes by student_id | search RequestCount>=1 AND NOT (RequestTypes="response" OR RequestTypes="ack")
Setup Alert with
1) Alert Type > Scheduled "Run on Cron Schedule" and for running every 15 minutes (For example following is only for weekdays): */15 * * * 1-5
2) Trigger Condition > Trigger Alert when "Number of Results" "is greater than" 0
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
am getting every studentnames and their requesttypes and their count but i need who are doesn't have the "ACK" "RESPONSE" i need those information....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you validate the fields in search are correct? I tested with following data (14041 has only request and no ack and response). The query worked for me. Please play around with final search conditions requestCount and requestTypes (If you are getting count, then requestCount=1 alone without requestType condition, on high level should give you only requests).
2016-10-29 13:24:43.310 student_id=13030 request_type=ack
2016-10-29 13:25:43.310 student_id=13030 request_type=response
2016-10-29 13:26:43.310 student_id=13030 request_type=request
2016-10-29 13:27:43.310 student_id=14040 request_type=request
2016-10-29 13:28:43.310 student_id=14040 request_type=response
2016-10-29 13:29:43.310 student_id=14040 request_type=ack
2016-10-29 13:27:43.310 student_id=14041 request_type=request
index=main sourcetype="splunk_answers_475441"
| stats count as RequestCount values(request_type) as RequestTypes by student_id
| search RequestCount>=1 AND NOT (RequestTypes="response" OR RequestTypes="ack")
| makeresults | eval message= "Happy Splunking!!!"
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
