Alerting

Is it possible to have multiple custom alert trigger conditions

Explorer

When I create new alert, I choose Custom Trigger Condition. Is it possible if I write multiple trigger conditions use AND/ OR operator:

search count=0 AND category= something

Where category is from lookup table.

SplunkTrust
SplunkTrust

So, one thing that you have to remember is that you need to have the data present in your output for the alert condition to pick it up. E.g. You have to have category in your final table or output.

For this, would you be able to modify your search to look like this?

sourcetype=abcd user=john ation=login 
|eval Date=strftime(now(), "%m/%d/%Y")
|lookup mydates.csv Date OUTPUTNEW category
|search NOT category=holiday
|table category Date
|stats count(action)

and then your alert condition could be:

search count =0

I think the reason that you are not getting anything with your alert condition is since you are doing a stats, the category field is no longer present anymore in the final result, so I would think that you either need to make it available in your final result, or filter it out in your search.

Champion

it is possible.
If you are able to retrieve trigger condition in a simple run time search, there is no reason why the same search will not work in an alert.
I do suspect however, that you are facing some issues in your search/trigger condition. Can you eleaborate a bit more?

Explorer

@Sukisen1981 Thanks for your response! I have a search to get user login activity counts. I need to trigger an alert to send an email if user login count = 0. I run this every hour but would like to exclude weekends and holidays as there will not be login activities anyway. I thought about many ways to do this and come down to this one now:
1. I create holidays.csv file and upload to lookups. The file looks like this:
Data, category
1/1/2019,holiday

  1. My search would be:

    sourcetype=abcd user=john ation=login
    |eval Date=strftime(now(), "%m/%d/%Y")
    |lookup mydates.csv Date OUTPUTNEW category
    |table category Date
    |stats count(action)

  2. In Alert setting, I set cron expression as:

    00 * * * 1-5 (this will exclude all weekends)

  3. In Custom Alert Trigger Condition, I am thinking of setting condition like:

    search count=0 AND NOT category=holiday

However, this did not work as I expected.

0 Karma

Engager

@lucy2019first, your search request contains typo in "action" field

sourcetype=abcd user=john ation=login 

and I'm not sure but the mistake seems to be what you use stats count(action) after table without action field.

Did you check the request in a regular search?

0 Karma

Champion

what happens if you slightly modify this to search count=0|where category !="holiday"

??

0 Karma

Explorer

@Sukisen1981 With or without 'where category ...' clause, the results were the same. Looks like category field output empty string.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!