Re: Search Query - Alert

rashi83 · ‎05-12-2020

Hi ,
I have a query which returns 5 events ( basically 5 files gets transferred) . I need to send an alert once all 5 files are transferred - meaning as soon as the event count is 5 , alert should be triggered. IS the below query good enough for such scneario ?

Should I write like index=* X y | stats count by FileName | where count=5

to4kawa · ‎05-12-2020

Does only success populate the event?

rashi83 · ‎05-12-2020

yes , if only success / transfer happen - event gets written

to4kawa · ‎05-12-2020

well, your query is enough for this, I think.

rashi83 · ‎05-12-2020

So while setting up Alert - should I mention Trigger Alert when Number of Results is greater than 4. OR will the query takes care of it.

I am little confused .

to4kawa · ‎05-12-2020

you use | where count=5
, so to fire
alert

event count > 0

rashi83 · ‎05-12-2020

Thank you

to4kawa · ‎05-12-2020

please provide your query for answer and accept it.

rashi83 · ‎05-12-2020

up voted your answer

to4kawa · ‎05-12-2020

thank you rashi83

Search Query - Alert

alert condition

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Join the Conversation