Search Query - Alert

rashi83 · ‎05-12-2020

Hi ,
I have a query which returns 5 events ( basically 5 files gets transferred) . I need to send an alert once all 5 files are transferred - meaning as soon as the event count is 5 , alert should be triggered. IS the below query good enough for such scneario ?

Should I write like index=* X y | stats count by FileName | where count=5

to4kawa · ‎05-12-2020

Does only success populate the event?

rashi83 · ‎05-12-2020

yes , if only success / transfer happen - event gets written

to4kawa · ‎05-12-2020

well, your query is enough for this, I think.

rashi83 · ‎05-12-2020

So while setting up Alert - should I mention Trigger Alert when Number of Results is greater than 4. OR will the query takes care of it.

I am little confused .

to4kawa · ‎05-12-2020

you use | where count=5
, so to fire
alert

event count > 0

rashi83 · ‎05-12-2020

Thank you

to4kawa · ‎05-12-2020

please provide your query for answer and accept it.

rashi83 · ‎05-12-2020

up voted your answer

to4kawa · ‎05-12-2020

thank you rashi83

Search Query - Alert

alert condition

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Building Momentum: Splunk Developer Program at .conf25

Are you a member of the Splunk Community?

Search Query - Alert

alert condition

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Building Momentum: Splunk Developer Program at .conf25