- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- What does "number of results" means when configuri...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What does "number of results" means when configuring an alert?
Hello splunkers,
I have a doubt when configuring Alerts. Documentation and the GUI talks about Number of results, which I'm not sure it's about search results or, for example, when using the stats command the result table shown.
Let's say I have the search index=test user=root dhost=* and it gives me 100 event results.
If I do index=test user=root dhost=* | stats count by dhost it gives me a table with 3 rows
++++++++++++++
|dhost | count |
++++++++++++++
|host1 | 50 |
++++++++++++++
|host2 | 30 |
++++++++++++++
|host3 | 20 |
++++++++++++++
For each of the searches, if the triggering condition is "Number of results greater than 50":
- Which search would trigger? (I think only the 1st, as for me the number of results in 2nd search is 3[rows])
- If both trigger, which data would come as result for each?
Thank you in advance for sharing your knowledge
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Josefa,
the number of results means, the number of events your search / alert will generate.
In your example above the search will trigger if you have more than 50 rows in your table with host and count.
It will not trigger if you have a value of count greater 50.
If this is what you want you can do the following:
Create a new search:
index=test user=root dhost=* | stats> count by dhost | where count > 50
and if you create the alert set the number of results to "greater than 0"
The search will trigger only if there is at least one host with a count > 50.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @btiggemann! doubt clarified
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Taking into account it should be count > 49 (50 is not greater than 50 :P). My bad from the beginning.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The first search would trigger, the second wouldn't. You'd get back the results the search creates.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
