Alerting

What does "number of results" means when configuring an alert?

josefa
Path Finder

Hello splunkers,

I have a doubt when configuring Alerts. Documentation and the GUI talks about Number of results, which I'm not sure it's about search results or, for example, when using the stats command the result table shown.

Let's say I have the search index=test user=root dhost=* and it gives me 100 event results.
If I do index=test user=root dhost=* | stats count by dhost it gives me a table with 3 rows
++++++++++++++
|dhost | count |
++++++++++++++
|host1 | 50 |
++++++++++++++
|host2 | 30 |
++++++++++++++
|host3 | 20 |
++++++++++++++

For each of the searches, if the triggering condition is "Number of results greater than 50":

  1. Which search would trigger? (I think only the 1st, as for me the number of results in 2nd search is 3[rows])
  2. If both trigger, which data would come as result for each?

Thank you in advance for sharing your knowledge

0 Karma

btiggemann
Path Finder

Hi Josefa,

the number of results means, the number of events your search / alert will generate.
In your example above the search will trigger if you have more than 50 rows in your table with host and count.
It will not trigger if you have a value of count greater 50.
If this is what you want you can do the following:

Create a new search:

index=test user=root dhost=* | stats> count by dhost | where count > 50

and if you create the alert set the number of results to "greater than 0"

The search will trigger only if there is at least one host with a count > 50.

0 Karma

josefa
Path Finder

Thanks @btiggemann! doubt clarified

0 Karma

josefa
Path Finder

Taking into account it should be count > 49 (50 is not greater than 50 :P). My bad from the beginning.

0 Karma

cmerriman
Super Champion

The first search would trigger, the second wouldn't. You'd get back the results the search creates.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Alert/Alertexamples#Custom_trigger_condition_examp...

0 Karma