Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I not receiving e-mail notification?

ravir_jbp
Explorer
‎03-22-2022 04:17 AM

 

 

I am able to perfom search for disk space and can see the reuslts. However, I am not getting alert when I setup it in alert option. Below are the settings I have used:

Search script:
===============
index=perfmon host=XXXXXX OR host=YYYYYYYsourcetype="Perfmon:LogicalDisk" counter="% Free Space" instance="C:" OR instance="D:" OR instance="E:" Value earliest=-1m latest=now |dedup instance host| sort host| eval Value=round(Value,0)| where Value<50| stats list(host),list(instance),list(Value)| rename list(host) as Servers, list(instance) as Drives, list(Value) as FreeSpaceLeft%

Cron expression :
=====================
*/5 * * * *

Trigger alert condition:
=========================

search Value <= 50

CAn you please help me on where it went wrong. I am not getting alert for this condition.

 

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-22-2022 04:39 AM

HI @ravir_jbp,

Yes, you have to put the condition only in one point: in the search or in the triggering conditions.

my hint is to put all the conditions in the search and trigger the alert when you have results (results>0), without putting the condition in the triggering conditions.

Ciao.

Giuseppe

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-22-2022 04:24 AM

Hi @ravir_jbp,

let me understand: you inserted the condition

| where Value<50

inside the search, so if you have results the alert must trigger, is it correct?

in this case the condition to set for the alert activation isn't "value<=0" but "results>0".

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

ravir_jbp
Explorer
‎03-22-2022 04:32 AM

Hi @gcusello ,

Yes firstly I am trying to filter which drive has space left below 50 % and if condition is met then I need to send e-mail alert. That is why I used Value <50.  

Shall I use results>0 in the trigger condition? I am confused here.

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-22-2022 04:39 AM

HI @ravir_jbp,

Yes, you have to put the condition only in one point: in the search or in the triggering conditions.

my hint is to put all the conditions in the search and trigger the alert when you have results (results>0), without putting the condition in the triggering conditions.

Ciao.

Giuseppe

 

0 Karma
Reply
Solved! Jump to solution

ravir_jbp
Explorer
‎03-22-2022 05:07 AM

Hi @gcusello ,

Thank you very much. This worked for me!!! Thank you again.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-22-2022 05:11 AM

Hi @ravir_jbp,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...