Re: How to trigger alert in timechart field for ev...

mprreddy51 · ‎05-11-2016

Hi,

I have a query which is in timechart:

index=PQR sourcetype=abc NOT "\\x00\\x00\\x00\\x00\\x00"|timechart  count by ID

Results i am getting:

_time                    p1   p2   p3   p4
2016-05-11 00:00:00       0    1    1    0
2016-05-11 00:10:00       1    1    0    2
2016-05-11 00:20:00       2    1    2    3
2016-05-11 00:30:00       1    0    0    0

I want to trigger an email alert on P1 if the count>1 for every 10 min. I created a alert with cron job for every 10 min and custom condition : Search P1>0
ALert mode: I want when the count of P1 is increasing (once per search i kept)

requirement: if the P1 count comes in next 10 min example(2016-05-11 00:40:00) as 1 then i need a email to trigger

Thanks in advance.

mprreddy51 · ‎05-11-2016

I used this query in search : index=PQR sourcetype=ABC NOT "\x00\x00\x00\x00\x00" earliest=-10m@m|chart count by ID|table count,ID

and in custom search i used: search count>0

It worked

woodcock · ‎05-11-2016

Maybe like this:

index=PQR sourcetype=abc NOT "\\x00\\x00\\x00\\x00\\x00" | timechart  span=10m count BY ID | stats count count(eval(p1>1)) AS countGreaterThanOneP1 | where countGreaterThanOneP1=count

mprreddy51 · ‎05-11-2016

Thanks @Woodcock.

This query is not returning results.

little more modification to the requirement:

I need alerts for all ID's(P1,P2,P3....etc ) in timechart.
case1: For example if P1 count is 1 at 2016-05-11 00:30:00 then it should trigger email saying that p1 count is 1
case2: For example if P2 count is 3 at 2016-05-11 00:40:00 then it should trigger email saying that p2 count is 3
case3: For example if P1 and P2 count is 2 ,4 at 2016-05-11 00:50:00 then it should trigger email saying that p1 and p2 count is 4

burwell · ‎05-11-2016

How about having separate alerts for each ID?

mprreddy51 · ‎05-11-2016

@burwell

In the example i shown only 4 ids(p1,p2,p3,p4) but i MAY get 10 id's also.Then i cannot create 10 seperate right?

I need to trigger alert any of the ID count has greater than 1 for every 10 min
sample data:

_time p1 p2 p3 p4
2016-05-11 00:00:00 0 1 1 0
2016-05-11 00:10:00 1 1 0 2
2016-05-11 00:20:00 2 1 2 3
2016-05-11 00:30:00 1 0 0 0

sundareshr · ‎05-11-2016

I think what you are looking for is something like this

index=PQR sourcetype=abc NOT "\\x00\\x00\\x00\\x00\\x00" earliest=10m@m id="P1"| stats count

and set the alert if there is result. Schedule the alert to run every 10 mins. This will alert only if there is a new P1 in the last 10 mins.

mprreddy51 · ‎05-11-2016

thanks @sundareshr

Yes you are correct but i need for others id also like p2,p3,p4...etc

I need alerts for all ID's(P1,P2,P3....etc ) in timechart.
case1: For example if P1 count is 1 at 2016-05-11 00:30:00 then it should trigger email saying that p1 count is 1
case2: For example if P2 count is 3 at 2016-05-11 00:40:00 then it should trigger email saying that p2 count is 3
case3: For example if P1 and P2 count is 2 ,4 at 2016-05-11 00:50:00 then it should trigger email saying that p1 and p2 count is 4
like this

sundareshr · ‎05-11-2016

Do all have to be in the same alert?

mprreddy51 · ‎05-11-2016

@Sundaresh Yes,I need all in same alert .

How to trigger alert in timechart field for every 10 min count

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor