Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to trigger an alert based on the number of rows in the "Statistics" tab?

dwh_splunk
Explorer
‎03-31-2016 06:39 AM

I have a saved search, that starts with a dbquery | dbquery, then does some transformations and ends with a collect statement.

When I run this search manually, there are resulting events and all results go to the "Statistics" tab.
I want to monitor, if indeed data was collected by my saved search.

This does not do the trick:

counttype = number of events
quantity = 1
relation = less than

simply because there are no resulting events.

Is there a way to trigger an alert based on the number of rows in the "Statistics" tab?

0 Karma
Reply

mcronkrite
Splunk Employee
Splunk Employee
‎04-02-2016 04:34 PM

When you run the Splunk Search that you want an alert for go to the top right and save as. There is an option for Save as Alert. The options include the count of the rows and lots of other options.

Here is an example:
http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Alertexamples

0 Karma
Reply

woodcock
Esteemed Legend
‎04-02-2016 01:25 PM

Passing events to the collect command does not destroy the events so you can just tack this on to the end of your search and trigger off of count:

... | stats count
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎04-02-2016 09:22 AM

If your search ends with collect - those results go somewhere else.

Can you write another search that queries the summary index over the appropriate time span to get your statistics?

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎03-31-2016 06:27 PM

Is there any way you could paste the search itself?

0 Karma
Reply

somesoni2
Revered Legend
‎03-31-2016 07:58 AM

Which version of splunk you're using?

0 Karma
Reply

dwh_splunk
Explorer
‎03-31-2016 08:11 AM

version 6.1.1

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...