Alerting

How to set up an alert to trigger when count > 0 and do not alert again until count >= 5?

manja054
Explorer

1) 1st Qty > 0
2) and shouldnt alert till it becomes Qty>= 5 or more

Below is the search that I used. It triggers the alert when cnt >0 & diff>0 for every 15 min.

host=* sourcetype=* earliest=-20m | timechart last(Cnt) as CurrentQueueLength span=5m | delta CurrentQueueLength as difference p=3| Where (CurrentQueueLength>0 AND difference>0 AND difference>5)

My requirement:

1) trigger alert when count >0 and do not trigger next alert until count goes above 5.

please help me to get this logic right.

Tags (2)
0 Karma

gyarici
Path Finder

Hi ,

Try to use this logic;

....|timechart last(Cnt) as CurrentQueueLength span=5m | delta CurrentQueueLength as difference p=3| eval Condition=if((difference>0) AND (difference<5),1,0)|where CurrentQueueLength>0|table _time,condition

If condition=1 on your table, you can rise an alarm,

Hope it is ok.

Thanks

Gokhan

0 Karma

gyarici
Path Finder

I am assuming that you want to have alerts for below time stamp according to your log data.

time      cnt  difference
1:00:00  1             1               Alert
1:05:00  1             0     
1:10:00  2             1               
1:15:00  2             0
1:20:00  3             1               
1:25:00  5             2               Alert
1:30:00  5             0                 
1:35:00  6             1               Alert  
1:40:00  10            4               Alert

Try this;

...your search...|eval condition=if(cnt=1) OR (cnt>4),1,0)|eval condition1=if((difference>0),1,0)|eval condition2=if((condition=1) AND ((condition1=1),1,0)|table _time,cnt,difference,condition2

Then go to alert menu for this alert;

Alert condition -> select "if custom condition is met"
go to custom condition-> search condition2="1"

alt text

Cron:*/15 * * * *

Hope it is ok now.

Thanks

Gokhan

0 Karma

manja054
Explorer

Thanks ..but it doesnot resolve my query.

my log looks like this

1:00:00 1
1:05:00 1
1:10:00 2
1:15:00 2
1:20:00 3
1:25:00 5
1:30:00 5
1:35:00 6
1:40:00 10

i should not trigger the 2nd alert till the cnt>=5 how to i say my alert to not to trigger until the cnt=5

0 Karma

manja054
Explorer

Thanks for the answer. But this is not i am looking for.

after triggering the 1st alert it as to trottle until the count becomes count >=5

0 Karma

gyarici
Path Finder

Hi ,

As I understood you have data like;

cnt difference
10 0
15 5
19 4

What I understood is you want to trig if difference<0 but do not trig until difference reach 5.

Here is the new logic:

....|timechart last(Cnt) as CurrentQueueLength span=5m | delta CurrentQueueLength as difference p=3|eval condition1=case(BADCODES<2,"smallerthantwo",BADCODES>5,"biggerthanfive")|eval condition2=if((condition1="smallerthantwo") OR (condition1="biggerthanfive"),1,0)| table _time,BADCODES,condition1,condition2

Now, If condition2="1" on your table, you can rise an alarm.

Cron:*/15 * * * *

Hope it ok

Thanks

Gokhan

0 Karma

otman01
Communicator

you can make 2 alerts
the first will be between 0 and 5
and the second will be over 5

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...