Alerting
Highlighted

Is there a way to convert a scheduled report to an alert? (6.6.3)

Influencer

If a saved search is initially created as an alert, I get the option to "Edit alert". But if it's saved as a report, that option is not there and Edit Schedule does not offer the same options. I can't see any way to modify a report to have a conditional alert. I can schedule a report. And I can assign an email action to a report. But the GUI offers no way to assign a conditional action to a report. In order to get the conditional verbiage, I have to recreate the saved search explicitly as an alert. Or edit config files directly.

The new paradigm of reports vs alerts is not ... handy. Maybe I'm just not used to it.

v6.6.3, Linux

Highlighted

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

Legend

Hi twinspop,
reports and alerts are different expressions of a search (eventually the same).
If the problem is to have a condition in the execution of a scheduled report, you can put this condition in your search: e.g. I have a report that lists all the non updated devices, but sometimes there is an error in the ingestion of the device situation, so in this case in my list there are thousands of not updated devices.
So I inserted in my search the condition | where count<1000 (usually there are few not updated devices) so I'm sure that it doesn't send a wrong report when there is a not updated situation, but only a correct one when situation is updated.
I hope I was clear.
Bye.
Giuseppe

0 Karma
Highlighted

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

Influencer

This is no longer accurate with Splunk 6.6.x.

0 Karma
Highlighted

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

Legend

You have to find a different condition to verify your report execution.
Bye.
Giuseppe

0 Karma
Highlighted

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

Influencer

No, the interface is totally different. If you have 6.6.x you will see.

0 Karma
Highlighted

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

Legend

Sorry but I explained badly:
you have to insert a condition in your search, something like | where count<1000 but relevant for your search.
Bye.
Giuseppe

0 Karma
Highlighted

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

Influencer

If you're not running 6.6.x you don't understand. For REPORTS there is only an option to send an email when the report runs. Period. There is no qualifier for number of results returned, custom eval, or anything else. Even with "where count>0" i will still get email on every run regardless of results. In 6.6 REPORTS are inherently different from ALERTS and I don't see anyway to convert one way or the other.

0 Karma
Highlighted

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

Legend

You have to insert the additional condition in the search used in report, in other words:
if original search is

index=my_index | stats dc(host) AS count

you have to modify search (not report conditions)

index=my_index | stats dc(host) AS count | where count<1000

Bye.
Giuseppe

0 Karma
Highlighted

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

Influencer

Doesn't work in 6.6

0 Karma
Highlighted

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

Influencer

I downvoted this post because not answering the question. extra search commands are not leading to the subject at hand: how to change a report to an alert in 6.6

0 Karma