Solved: Triggering an alert on alerts (Alert-on-Alerts)

cafey · ‎05-21-2015

Is there a way in splunk to alert on number of alerts ?

For example I want create an alert which attempts to search 6 login into a server. Assuming this runs every 1 min (thats arbitrary number) and fires an alert called Alert-A. I want to fire an alert B if 5 Alert-A have triggered in last 5 mins.

I am not looking for solution where in you want to suggest, "why not create a search and alert if 6*5 login attempts have been made on server.

My question is specific to triggering an alert on other alert.

Yasaswy · ‎05-21-2015

Hi, you should be able to pull up fired alerts from REST a call and schedule a search on it and trigger an alert on alerts. eg:

    |rest /services/alerts/fired_alerts/name|search|where triggered_alert_count > 5| table id triggered_alert_count

Alerts URI reference

View solution in original post

Yasaswy · ‎05-21-2015

Hi, you should be able to pull up fired alerts from REST a call and schedule a search on it and trigger an alert on alerts. eg:

    |rest /services/alerts/fired_alerts/name|search|where triggered_alert_count > 5| table id triggered_alert_count

Alerts URI reference

mmaqbool · ‎02-12-2019

This might be a bit old thread, but I would be very thankful if you could explain the SPL expression in a bit non-technical fashion for a new user like me. Specifically, what its different parts are doing. Many thanks

cafey · ‎05-21-2015

Perfect this is what I was looking for !! Thanks a bunch there !!!

stepheneardley · ‎01-08-2016

Exactly what I was after 🙂

Triggering an alert on alerts (Alert-on-Alerts)

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!