Alerting

How would I go about having an alert fire at a given threshold ?

dannyze
Explorer

How would I go about having an alert set at a given threshold ?

When I run the following, I sometimes get incomplete results in the stats table due to not every field meeting the number 6
index=_internal AND NOT email="blank@domain.com"
| stats count by email, Message, client.ipAddress, geographical.city
| where count>6
| sort -count

When I try the following, I get an alert for 6 total events with no threshold criteria met.
Trigger Condition:
Number of Results is > 6.

Desired outcome would be a criteria of the set threshold met and only when it is met. For example, an alert to fire on the 'count' of a given event occurring 6 times

Appreciate any tips in advance

Tags (1)
0 Karma
1 Solution

arjunpkishore5
Motivator

In your query, you are already filtering events having count>6. So you trigger condition should be

Trigger Condition:
Number of Results is > 0

Trigger condition purely works on the results of the query and does not modify the query itself.

View solution in original post

0 Karma

dannyze
Explorer

Thank you , modified my Trigger Condition accordingly

0 Karma

arjunpkishore5
Motivator

In your query, you are already filtering events having count>6. So you trigger condition should be

Trigger Condition:
Number of Results is > 0

Trigger condition purely works on the results of the query and does not modify the query itself.

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...