Search Query - Alert

rashi83 · ‎05-12-2020

Hi ,
I have a query which returns 5 events ( basically 5 files gets transferred) . I need to send an alert once all 5 files are transferred - meaning as soon as the event count is 5 , alert should be triggered. IS the below query good enough for such scneario ?

Should I write like index=* X y | stats count by FileName | where count=5

to4kawa · ‎05-12-2020

Does only success populate the event?

rashi83 · ‎05-12-2020

yes , if only success / transfer happen - event gets written

to4kawa · ‎05-12-2020

well, your query is enough for this, I think.

rashi83 · ‎05-12-2020

So while setting up Alert - should I mention Trigger Alert when Number of Results is greater than 4. OR will the query takes care of it.

I am little confused .

to4kawa · ‎05-12-2020

you use | where count=5
, so to fire
alert

event count > 0

rashi83 · ‎05-12-2020

Thank you

to4kawa · ‎05-12-2020

please provide your query for answer and accept it.

rashi83 · ‎05-12-2020

up voted your answer

to4kawa · ‎05-12-2020

thank you rashi83

Search Query - Alert

alert condition

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?

Search Query - Alert

alert condition

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...