Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trigger specific custom alert

alekseisaiko
Path Finder
‎03-03-2020 04:08 AM

Hi there!
I'm using this query 

index="dev" |eval raw_len=len(_raw) | eval raw_len_gb = raw_len/1024/1024/1024 | stats sum(raw_len_gb) as GB by kubernetes_namespace | bin _time span=1d

To get the amount of received data from K8S logs, and I want to trigger alert using this query, if the amount will be more than 0.5 gig a day.
How to define it in alert?
Right now, when I'm defining alert that triggers when - "eval raw_len_gb > 0.5", it's not triggered

Thanks,

ALeksei

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-03-2020 05:28 AM

Add | where raw_len_gb > 0.5 to the end of your query and change the alert to trigger if the number of results is not zero.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-03-2020 05:28 AM

Add | where raw_len_gb > 0.5 to the end of your query and change the alert to trigger if the number of results is not zero.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

alekseisaiko
Path Finder
‎03-03-2020 06:11 AM

Thanks for you answer!
Right now, I want to test that this query works.

If I'm running my query (without the | where raw_len_gb > 0.5) for last 15 mins, I'm getting results, with 0.029 GB for example in one of the results.
But if I want to check the same query with | where raw_len_gb > 0.01 just to see that it will show results, it doesn't. Though it must show the one with 0.029 GB and more.

0 Karma
Reply
Solved! Jump to solution

alekseisaiko
Path Finder
‎03-03-2020 06:58 AM

Ok, it worked liked this -
index="dev" |eval raw_len=len(_raw) | eval raw_len_gb = raw_len/1024/1024/1024 | stats sum(raw_len_gb) as GB by kubernetes_namespace | bin _time span=1d | where GB > 0.0004
And I'm getting relevant results now, but still , trigger is not working from some reason

0 Karma
Reply
Solved! Jump to solution

alekseisaiko
Path Finder
‎03-03-2020 07:03 AM

My bad, it worked! 🙂
Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...