Re: How to trigger alert in timechart field for ev...

mprreddy51 · ‎05-11-2016

Hi,

I have a query which is in timechart:

index=PQR sourcetype=abc NOT "\\x00\\x00\\x00\\x00\\x00"|timechart  count by ID

Results i am getting:

_time                    p1   p2   p3   p4
2016-05-11 00:00:00       0    1    1    0
2016-05-11 00:10:00       1    1    0    2
2016-05-11 00:20:00       2    1    2    3
2016-05-11 00:30:00       1    0    0    0

I want to trigger an email alert on P1 if the count>1 for every 10 min. I created a alert with cron job for every 10 min and custom condition : Search P1>0
ALert mode: I want when the count of P1 is increasing (once per search i kept)

requirement: if the P1 count comes in next 10 min example(2016-05-11 00:40:00) as 1 then i need a email to trigger

Thanks in advance.

mprreddy51 · ‎05-11-2016

I used this query in search : index=PQR sourcetype=ABC NOT "\x00\x00\x00\x00\x00" earliest=-10m@m|chart count by ID|table count,ID

and in custom search i used: search count>0

It worked

woodcock · ‎05-11-2016

Maybe like this:

index=PQR sourcetype=abc NOT "\\x00\\x00\\x00\\x00\\x00" | timechart  span=10m count BY ID | stats count count(eval(p1>1)) AS countGreaterThanOneP1 | where countGreaterThanOneP1=count

mprreddy51 · ‎05-11-2016

Thanks @Woodcock.

This query is not returning results.

little more modification to the requirement:

I need alerts for all ID's(P1,P2,P3....etc ) in timechart.
case1: For example if P1 count is 1 at 2016-05-11 00:30:00 then it should trigger email saying that p1 count is 1
case2: For example if P2 count is 3 at 2016-05-11 00:40:00 then it should trigger email saying that p2 count is 3
case3: For example if P1 and P2 count is 2 ,4 at 2016-05-11 00:50:00 then it should trigger email saying that p1 and p2 count is 4

burwell · ‎05-11-2016

How about having separate alerts for each ID?

mprreddy51 · ‎05-11-2016

@burwell

In the example i shown only 4 ids(p1,p2,p3,p4) but i MAY get 10 id's also.Then i cannot create 10 seperate right?

I need to trigger alert any of the ID count has greater than 1 for every 10 min
sample data:

_time p1 p2 p3 p4
2016-05-11 00:00:00 0 1 1 0
2016-05-11 00:10:00 1 1 0 2
2016-05-11 00:20:00 2 1 2 3
2016-05-11 00:30:00 1 0 0 0

sundareshr · ‎05-11-2016

I think what you are looking for is something like this

index=PQR sourcetype=abc NOT "\\x00\\x00\\x00\\x00\\x00" earliest=10m@m id="P1"| stats count

and set the alert if there is result. Schedule the alert to run every 10 mins. This will alert only if there is a new P1 in the last 10 mins.

mprreddy51 · ‎05-11-2016

thanks @sundareshr

Yes you are correct but i need for others id also like p2,p3,p4...etc

I need alerts for all ID's(P1,P2,P3....etc ) in timechart.
case1: For example if P1 count is 1 at 2016-05-11 00:30:00 then it should trigger email saying that p1 count is 1
case2: For example if P2 count is 3 at 2016-05-11 00:40:00 then it should trigger email saying that p2 count is 3
case3: For example if P1 and P2 count is 2 ,4 at 2016-05-11 00:50:00 then it should trigger email saying that p1 and p2 count is 4
like this

sundareshr · ‎05-11-2016

Do all have to be in the same alert?

mprreddy51 · ‎05-11-2016

@Sundaresh Yes,I need all in same alert .

How to trigger alert in timechart field for every 10 min count

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes