Alerting

How to set up an alert to trigger when count > 0 and do not alert again until count >= 5?

manja054
Explorer

1) 1st Qty > 0
2) and shouldnt alert till it becomes Qty>= 5 or more

Below is the search that I used. It triggers the alert when cnt >0 & diff>0 for every 15 min.

host=* sourcetype=* earliest=-20m | timechart last(Cnt) as CurrentQueueLength span=5m | delta CurrentQueueLength as difference p=3| Where (CurrentQueueLength>0 AND difference>0 AND difference>5)

My requirement:

1) trigger alert when count >0 and do not trigger next alert until count goes above 5.

please help me to get this logic right.

Tags (2)
0 Karma

gyarici
Path Finder

Hi ,

Try to use this logic;

....|timechart last(Cnt) as CurrentQueueLength span=5m | delta CurrentQueueLength as difference p=3| eval Condition=if((difference>0) AND (difference<5),1,0)|where CurrentQueueLength>0|table _time,condition

If condition=1 on your table, you can rise an alarm,

Hope it is ok.

Thanks

Gokhan

0 Karma

gyarici
Path Finder

I am assuming that you want to have alerts for below time stamp according to your log data.

time      cnt  difference
1:00:00  1             1               Alert
1:05:00  1             0     
1:10:00  2             1               
1:15:00  2             0
1:20:00  3             1               
1:25:00  5             2               Alert
1:30:00  5             0                 
1:35:00  6             1               Alert  
1:40:00  10            4               Alert

Try this;

...your search...|eval condition=if(cnt=1) OR (cnt>4),1,0)|eval condition1=if((difference>0),1,0)|eval condition2=if((condition=1) AND ((condition1=1),1,0)|table _time,cnt,difference,condition2

Then go to alert menu for this alert;

Alert condition -> select "if custom condition is met"
go to custom condition-> search condition2="1"

alt text

Cron:*/15 * * * *

Hope it is ok now.

Thanks

Gokhan

0 Karma

manja054
Explorer

Thanks ..but it doesnot resolve my query.

my log looks like this

1:00:00 1
1:05:00 1
1:10:00 2
1:15:00 2
1:20:00 3
1:25:00 5
1:30:00 5
1:35:00 6
1:40:00 10

i should not trigger the 2nd alert till the cnt>=5 how to i say my alert to not to trigger until the cnt=5

0 Karma

manja054
Explorer

Thanks for the answer. But this is not i am looking for.

after triggering the 1st alert it as to trottle until the count becomes count >=5

0 Karma

gyarici
Path Finder

Hi ,

As I understood you have data like;

cnt difference
10 0
15 5
19 4

What I understood is you want to trig if difference<0 but do not trig until difference reach 5.

Here is the new logic:

....|timechart last(Cnt) as CurrentQueueLength span=5m | delta CurrentQueueLength as difference p=3|eval condition1=case(BADCODES<2,"smallerthantwo",BADCODES>5,"biggerthanfive")|eval condition2=if((condition1="smallerthantwo") OR (condition1="biggerthanfive"),1,0)| table _time,BADCODES,condition1,condition2

Now, If condition2="1" on your table, you can rise an alarm.

Cron:*/15 * * * *

Hope it ok

Thanks

Gokhan

0 Karma

otman01
Communicator

you can make 2 alerts
the first will be between 0 and 5
and the second will be over 5

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...