Hello Team,
Is it possible to created error report to run every 30 minutes, but mail notification will be raised only if the ERROR events are generated 20 in last 30 minutes.
Example:
Index=ABC sourcetype=XYZ "ERROR"=999
I need help to created Report like this
Hi @cbiraris,
as I said, you have to create two different ojects:
They uses the same search, but the alert has the additional conditin count>20.
Ciao.
Giuseppe
Splunk calls such reports "alerts".
Hi @cbiraris,
let me understand: you want to fire the alert if the alert was fired 20 times, is it correct?
In this case you have to create two alerts:
Ciao.
Giuseppe
@gcusello
Thank you for writing me back.
I want to created a report which will run every 30minutes. but if the ERROR events are 20 in last 30 minutes then its only trigger email notification like alerts dose normally.
I know it can be possible by lookup. but not sure how to created it . could you please help with sample_code and direction .
Hi @cbiraris.
let me understand:
is it correct?
If this is your need, you can create two objects:
Ciao.
Giuseppe
@gcusello
Yes you are right. I need both Report and Alert. but If alert fires, email should contain report.
so, is it possible ?
Thank you 🙂
Hi @cbiraris,
as I said, you have to create two different ojects:
They uses the same search, but the alert has the additional conditin count>20.
Ciao.
Giuseppe
Wow..! Thank you so much @gcusello
its worked.
Hi @cbiraris,
good for you, see next time!
Please accept one answer for the other people of Community
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the Contributors 😉
Hi @cbiraris,
You can filter event count like below and save as an alert;
index=ABC sourcetype=XYZ "ERROR"=999 | stats count | search count>20