Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trigger specific custom alert

alekseisaiko
Path Finder
‎03-03-2020 04:08 AM

Hi there!
I'm using this query 

index="dev" |eval raw_len=len(_raw) | eval raw_len_gb = raw_len/1024/1024/1024 | stats sum(raw_len_gb) as GB by kubernetes_namespace | bin _time span=1d

To get the amount of received data from K8S logs, and I want to trigger alert using this query, if the amount will be more than 0.5 gig a day.
How to define it in alert?
Right now, when I'm defining alert that triggers when - "eval raw_len_gb > 0.5", it's not triggered

Thanks,

ALeksei

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-03-2020 05:28 AM

Add | where raw_len_gb > 0.5 to the end of your query and change the alert to trigger if the number of results is not zero.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-03-2020 05:28 AM

Add | where raw_len_gb > 0.5 to the end of your query and change the alert to trigger if the number of results is not zero.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

alekseisaiko
Path Finder
‎03-03-2020 06:11 AM

Thanks for you answer!
Right now, I want to test that this query works.

If I'm running my query (without the | where raw_len_gb > 0.5) for last 15 mins, I'm getting results, with 0.029 GB for example in one of the results.
But if I want to check the same query with | where raw_len_gb > 0.01 just to see that it will show results, it doesn't. Though it must show the one with 0.029 GB and more.

0 Karma
Reply
Solved! Jump to solution

alekseisaiko
Path Finder
‎03-03-2020 06:58 AM

Ok, it worked liked this -
index="dev" |eval raw_len=len(_raw) | eval raw_len_gb = raw_len/1024/1024/1024 | stats sum(raw_len_gb) as GB by kubernetes_namespace | bin _time span=1d | where GB > 0.0004
And I'm getting relevant results now, but still , trigger is not working from some reason

0 Karma
Reply
Solved! Jump to solution

alekseisaiko
Path Finder
‎03-03-2020 07:03 AM

My bad, it worked! 🙂
Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...