Search Query - Alert

rashi83 · ‎05-12-2020

Hi ,
I have a query which returns 5 events ( basically 5 files gets transferred) . I need to send an alert once all 5 files are transferred - meaning as soon as the event count is 5 , alert should be triggered. IS the below query good enough for such scneario ?

Should I write like index=* X y | stats count by FileName | where count=5

to4kawa · ‎05-12-2020

Does only success populate the event?

rashi83 · ‎05-12-2020

yes , if only success / transfer happen - event gets written

to4kawa · ‎05-12-2020

well, your query is enough for this, I think.

rashi83 · ‎05-12-2020

So while setting up Alert - should I mention Trigger Alert when Number of Results is greater than 4. OR will the query takes care of it.

I am little confused .

to4kawa · ‎05-12-2020

you use | where count=5
, so to fire
alert

event count > 0

rashi83 · ‎05-12-2020

Thank you

to4kawa · ‎05-12-2020

please provide your query for answer and accept it.

rashi83 · ‎05-12-2020

up voted your answer

to4kawa · ‎05-12-2020

thank you rashi83

Search Query - Alert

alert condition

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Join the Conversation

Search Query - Alert

alert condition

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...