Alerting

Why am I not receiving e-mail notification?

ravir_jbp
Explorer

 

 

I am able to perfom search for disk space and can see the reuslts. However, I am not getting alert when I setup it in alert option. Below are the settings I have used:

Search script:
===============
index=perfmon host=XXXXXX OR host=YYYYYYYsourcetype="Perfmon:LogicalDisk" counter="% Free Space" instance="C:" OR instance="D:" OR instance="E:" Value earliest=-1m latest=now |dedup instance host| sort host| eval Value=round(Value,0)| where Value<50| stats list(host),list(instance),list(Value)| rename list(host) as Servers, list(instance) as Drives, list(Value) as FreeSpaceLeft%

Cron expression :
=====================
*/5 * * * *

Trigger alert condition:
=========================

search Value <= 50

CAn you please help me on where it went wrong. I am not getting alert for this condition.

 

 

Labels (2)
Tags (1)
0 Karma
1 Solution

gcusello
Esteemed Legend

HI @ravir_jbp,

Yes, you have to put the condition only in one point: in the search or in the triggering conditions.

my hint is to put all the conditions in the search and trigger the alert when you have results (results>0), without putting the condition in the triggering conditions.

Ciao.

Giuseppe

 

View solution in original post

0 Karma

gcusello
Esteemed Legend

Hi @ravir_jbp,

let me understand: you inserted the condition

| where Value<50

inside the search, so if you have results the alert must trigger, is it correct?

in this case the condition to set for the alert activation isn't "value<=0" but "results>0".

Ciao.

Giuseppe

0 Karma

ravir_jbp
Explorer

Hi @gcusello ,

Yes firstly I am trying to filter which drive has space left below 50 % and if condition is met then I need to send e-mail alert. That is why I used Value <50.  

Shall I use results>0 in the trigger condition? I am confused here.

Tags (1)
0 Karma

gcusello
Esteemed Legend

HI @ravir_jbp,

Yes, you have to put the condition only in one point: in the search or in the triggering conditions.

my hint is to put all the conditions in the search and trigger the alert when you have results (results>0), without putting the condition in the triggering conditions.

Ciao.

Giuseppe

 

0 Karma

ravir_jbp
Explorer

Hi @gcusello ,

Thank you very much. This worked for me!!! Thank you again.

0 Karma

gcusello
Esteemed Legend

Hi @ravir_jbp,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...