Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I not receiving e-mail notification?

ravir_jbp
Explorer
‎03-22-2022 04:17 AM

 

 

I am able to perfom search for disk space and can see the reuslts. However, I am not getting alert when I setup it in alert option. Below are the settings I have used:

Search script:
===============
index=perfmon host=XXXXXX OR host=YYYYYYYsourcetype="Perfmon:LogicalDisk" counter="% Free Space" instance="C:" OR instance="D:" OR instance="E:" Value earliest=-1m latest=now |dedup instance host| sort host| eval Value=round(Value,0)| where Value<50| stats list(host),list(instance),list(Value)| rename list(host) as Servers, list(instance) as Drives, list(Value) as FreeSpaceLeft%

Cron expression :
=====================
*/5 * * * *

Trigger alert condition:
=========================

search Value <= 50

CAn you please help me on where it went wrong. I am not getting alert for this condition.

 

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-22-2022 04:39 AM

HI @ravir_jbp,

Yes, you have to put the condition only in one point: in the search or in the triggering conditions.

my hint is to put all the conditions in the search and trigger the alert when you have results (results>0), without putting the condition in the triggering conditions.

Ciao.

Giuseppe

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-22-2022 04:24 AM

Hi @ravir_jbp,

let me understand: you inserted the condition

| where Value<50

inside the search, so if you have results the alert must trigger, is it correct?

in this case the condition to set for the alert activation isn't "value<=0" but "results>0".

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

ravir_jbp
Explorer
‎03-22-2022 04:32 AM

Hi @gcusello ,

Yes firstly I am trying to filter which drive has space left below 50 % and if condition is met then I need to send e-mail alert. That is why I used Value <50.  

Shall I use results>0 in the trigger condition? I am confused here.

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-22-2022 04:39 AM

HI @ravir_jbp,

Yes, you have to put the condition only in one point: in the search or in the triggering conditions.

my hint is to put all the conditions in the search and trigger the alert when you have results (results>0), without putting the condition in the triggering conditions.

Ciao.

Giuseppe

 

0 Karma
Reply
Solved! Jump to solution

ravir_jbp
Explorer
‎03-22-2022 05:07 AM

Hi @gcusello ,

Thank you very much. This worked for me!!! Thank you again.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-22-2022 05:11 AM

Hi @ravir_jbp,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...