Why does the trigger condition for my alert never ...

splunkrocks2014 · ‎04-05-2016

Hi.

I created an alert and tried to trigger a python script to capture the parameters if the alert condition is set as "if number of events" "is greater than" "0". However, the trigger condition never works until I set it as "Always". I have tried all different options to include custom set as "search count>0", and none of them work, although there were results from the alert. Any clues?

index=xyz sourcetype=xyz:abc c_host=myhostname | table c_ip cs_path

start time: -5m
finish time: now

jluo_splunk · ‎04-06-2016

Hi Splunkrocks2014,

The custom condition is typically set using the search command (see example: http://docs.splunk.com/Documentation/Splunk/6.1/Alert/Alertexamples)

I think you may need to change your base search a bit. If I understand your question correctly, you may be looking for something like this as your base search..

index=xyz sourcetype=xyz:abc c_host=myhostname | stats count by c_ip, cs_path

From here, you can create your alert, and set your custom condition to be something like "search count > 0", or whatever number you like.

frobinson_splun · ‎04-05-2016

Hi @splunkrocks2014,
What software version are you using?

What kind of alert did you create (real-time/scheduled)?

This is more of experimental question, but could you possibly test the alert without the "table" command at the end? If you leave "table" out but use your original condition for events > 0, does the alert trigger as expected?

splunkrocks2014 · ‎04-06-2016

It works by removed "table" command. That means the condition doesn't support "table" command?

Splunk Enterprise: 6.3.2
Alert: scheduled every 5 mins

Why does the trigger condition for my alert never work?

Unleash Unified Security and Observability with Splunk Cloud Platform

Enterprise Security Content Update (ESCU) | New Releases

Join the Splunk Developer Program Hackathon: Splunk Build-a-thon!