Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How would I go about having an alert fire at a given threshold ?

dannyze
Explorer
‎02-27-2020 09:44 AM

How would I go about having an alert set at a given threshold ?

When I run the following, I sometimes get incomplete results in the stats table due to not every field meeting the number 6
index=_internal AND NOT email="blank@domain.com"
| stats count by email, Message, client.ipAddress, geographical.city
| where count>6
| sort -count

When I try the following, I get an alert for 6 total events with no threshold criteria met.
Trigger Condition:
Number of Results is > 6.

Desired outcome would be a criteria of the set threshold met and only when it is met. For example, an alert to fire on the 'count' of a given event occurring 6 times

Appreciate any tips in advance

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

arjunpkishore5
Motivator
‎02-27-2020 10:17 AM

In your query, you are already filtering events having count>6. So you trigger condition should be

Trigger Condition:
Number of Results is > 0

Trigger condition purely works on the results of the query and does not modify the query itself.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dannyze
Explorer
‎02-27-2020 11:03 AM

Thank you , modified my Trigger Condition accordingly

0 Karma
Reply
Solved! Jump to solution
Solution

arjunpkishore5
Motivator
‎02-27-2020 10:17 AM

In your query, you are already filtering events having count>6. So you trigger condition should be

Trigger Condition:
Number of Results is > 0

Trigger condition purely works on the results of the query and does not modify the query itself.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...