Alerting
Highlighted

How to trigger an alert when the count of unique values are greater than 10?

Engager

I am very new to Splunk and I am working on building an alert that will trigger when a field has more than 10 unique values.

index=network sourcetype=cisco  | dedup host | stats count by host 

I am having trouble with how to trigger an alert when the number of unique hosts are 10 or greater in a 20 minute period. Any guidance on how I can do this would be great.

Thanks!

0 Karma
Highlighted

Re: How to trigger an alert when the count of unique values are greater than 10?

Motivator
index=network sourcetype=cisco | stats count by host 

Set your alert trigger condition to be Number of Results is greater than 9

And to do 20 minutes you can set your alert to use a cron schedule */20 * * * *
And set the time range to Relative - 20 minutes ago

OR

Change your search to get distinct count of hosts

index=network sourcetype=cisco | stats dc(host) as hosts_count | where hosts_count > 9

and set your alert to look for greater than 0

View solution in original post

Highlighted

Re: How to trigger an alert when the count of unique values are greater than 10?

This is close, but I believe the search should be:

index=network sourcetype=cisco
| stats count by host

If you run the search with | stats dc(host), you will always get exactly one result - the distinct count of host values.

Another note for @geerkenr - you don't need to dedup before calling stats, in this instance, since you aren't using the counts for anything. Calling dedup first will just make the search less efficient.

Highlighted

Re: How to trigger an alert when the count of unique values are greater than 10?

Motivator

According to the question he wanted the distinct count of host values: " when the number of unique hosts are 10 or greater "

Maybe I read the question wrong?

0 Karma
Highlighted

Re: How to trigger an alert when the count of unique values are greater than 10?

No, I read the requirements the same way - but it's a sneaky thing here. If you use |stats dc(host), you will get exactly one result - a count of unique hosts. But then if you set the alert to only trigger if the number of results is greater than 10, you will never alert. Let's say the events returned from

index=network sourcetype=cisco

include 25 unique host values. Then this:

index=network sourcetype=cisco
| stats dc(host)

will return a single result: dc(host)=25. And that won't trigger the alert, because the alert will see a single result. But this:

index=network sourcetype=cisco
| stats count by host

will return 25 results - each result will be a unique host value, followed by a count. And if there are more than 10 results, as desired, the alert will trigger.

There's a way to use your search structure to get the desired result, but it's a little less intuitive in the UI. You'd need to set a custom trigger and do something like dc(host)>=10 (and it would be more straightforward if the stats command were | stats dc(host) AS host_count, and the custom trigger could be host_count>=10, because I'm honestly not 100% sure whether the dc(host)>=10 would require any quotes around the field name.

Anyway, much longer response than you probably wanted, but I thought it would be useful to expand on this.

Highlighted

Re: How to trigger an alert when the count of unique values are greater than 10?

Motivator

Oh duh! Yes! I was trying to solve it two ways and put them into one that doesn't work instead of separating them and explaining. Thank you for correcting that.

0 Karma
Highlighted

Re: How to trigger an alert when the count of unique values are greater than 10?

Absolutely. 🙂 The rest of the answer was written with great detail. If you revise, I'll upvote it, because it's a useful answer for folks!

0 Karma
Highlighted

Re: How to trigger an alert when the count of unique values are greater than 10?

Motivator

I fixed it and added both options 🙂 thank you!

0 Karma