Alerting

Why am I not receiving e-mail notification?

ravir_jbp
Explorer

 

 

I am able to perfom search for disk space and can see the reuslts. However, I am not getting alert when I setup it in alert option. Below are the settings I have used:

Search script:
===============
index=perfmon host=XXXXXX OR host=YYYYYYYsourcetype="Perfmon:LogicalDisk" counter="% Free Space" instance="C:" OR instance="D:" OR instance="E:" Value earliest=-1m latest=now |dedup instance host| sort host| eval Value=round(Value,0)| where Value<50| stats list(host),list(instance),list(Value)| rename list(host) as Servers, list(instance) as Drives, list(Value) as FreeSpaceLeft%

Cron expression :
=====================
*/5 * * * *

Trigger alert condition:
=========================

search Value <= 50

CAn you please help me on where it went wrong. I am not getting alert for this condition.

 

 

Labels (2)
Tags (1)
0 Karma
1 Solution

gcusello
Esteemed Legend

HI @ravir_jbp,

Yes, you have to put the condition only in one point: in the search or in the triggering conditions.

my hint is to put all the conditions in the search and trigger the alert when you have results (results>0), without putting the condition in the triggering conditions.

Ciao.

Giuseppe

 

View solution in original post

0 Karma

gcusello
Esteemed Legend

Hi @ravir_jbp,

let me understand: you inserted the condition

| where Value<50

inside the search, so if you have results the alert must trigger, is it correct?

in this case the condition to set for the alert activation isn't "value<=0" but "results>0".

Ciao.

Giuseppe

0 Karma

ravir_jbp
Explorer

Hi @gcusello ,

Yes firstly I am trying to filter which drive has space left below 50 % and if condition is met then I need to send e-mail alert. That is why I used Value <50.  

Shall I use results>0 in the trigger condition? I am confused here.

Tags (1)
0 Karma

gcusello
Esteemed Legend

HI @ravir_jbp,

Yes, you have to put the condition only in one point: in the search or in the triggering conditions.

my hint is to put all the conditions in the search and trigger the alert when you have results (results>0), without putting the condition in the triggering conditions.

Ciao.

Giuseppe

 

0 Karma

ravir_jbp
Explorer

Hi @gcusello ,

Thank you very much. This worked for me!!! Thank you again.

0 Karma

gcusello
Esteemed Legend

Hi @ravir_jbp,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...