Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Splunk not allowing me to specify the trigger condition "Threads > 1600" for my custom alert?

B83896
New Member
‎06-21-2016 02:11 AM

Hi,

I am using the following search for monitoring number of Threads on a server:

index=perfmon host=CCEVPSYCA01 sourcetype="Perfmon:System" counter=Threads| eval Date=strftime(_time, "%Y-%m-%d %H:%M") | rename Value AS Threads | table Date, Threads | SORT BY Date

and I want to set up an alert to be triggered when conditions are met (custom alert): Threads > 1600. But Splunk does not allow me to specify this condition in the alert "threads > 1600".

Could you please help me in resolving this? Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-21-2016 03:06 AM

Try providing the condition as search Threads > 1600 in the condition box.
Another way to do is including the condition in the search itself and alert when Number of Resultsis greater than '0'

ie

index=perfmon host=CCEVPSYCA01 sourcetype="Perfmon:System" counter=Threads| eval Date=strftime(_time, "%Y-%m-%d %H:%M") | rename Value AS Threads | table Date, Threads | SORT BY Date|search Threads > 1600

and then selecting the drop down Number of Results is greater than 0

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-21-2016 03:06 AM

Try providing the condition as search Threads > 1600 in the condition box.
Another way to do is including the condition in the search itself and alert when Number of Resultsis greater than '0'

ie

index=perfmon host=CCEVPSYCA01 sourcetype="Perfmon:System" counter=Threads| eval Date=strftime(_time, "%Y-%m-%d %H:%M") | rename Value AS Threads | table Date, Threads | SORT BY Date|search Threads > 1600

and then selecting the drop down Number of Results is greater than 0

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

B83896
New Member
‎06-21-2016 05:27 AM

Hello,
Great! Thanks - first option worked for me!

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎06-21-2016 07:11 AM

Good to know. Please accept as answer so that the thread will be closed

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

B83896
New Member
‎06-21-2016 07:22 AM

Done, thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...