All Apps and Add-ons

How to trigger alerts on value of a custom field

umsundar2015
Path Finder

HI ,

My search is ,
index=demo |eval name=lower(name)|fillnull value=Null|replace True with Compliant False with "Non_Compliant" in Compliance |search eligibility=* Appliance="*" |stats count by Compliance

This gives me output like ,
Complaint 85
Non-Compliant 40
Missing 10

Here i need to create a cutom alert(email to be sent) whenever compliant is < 95%.I was not able to do this.

Regards,
Sundar

0 Karma

mayurr98
SplunkTrust
SplunkTrust

If you want to create an alert based on a specific value which is Complaint in your case then filter that field in your search results:

You can try this search

index=demo |eval name=lower(name)|fillnull value=Null|replace True with Compliant False with "Non_Compliant" in Compliance |search eligibility= Appliance="" Compliance="Complaint" |stats count by Compliance

Then set a trigger conditions as Trigger alert when custom search count<95

If you want to stick to your query then you can try something like
Set a trigger conditions as Trigger alert when custom search Compliance="Complaint" AND count<95

let me know if this helps!

0 Karma

umsundar2015
Path Finder

Thanks for your reply.

Compliance is the field which has all the values in it like compliant , non-Compliant etc.Here my requirement is to get the alert when compliant is < 95 % .

When use Compliance =Compliant then, it will have total of all the 4 values in Compliance rit .I need for Compliant alone in Compliance field .

Please suggest me way mayurr98.

0 Karma

mayurr98
SplunkTrust
SplunkTrust

No, when you write Compliance="Complaint" before the stats command it will have only one value called Compliant in that case you need to set custom trigger condition as

search count<95

If you have 4 values in the Compliance field then you need to set custom trigger condition as

search Compliance="Complaint" AND count<95
0 Karma

umsundar2015
Path Finder

HI Thank you.It works

Can you help me with this code ,
index=demo |eval name=lower(name)|fillnull value=Null|search eligibility="" Appliance="" |stats count by Compliance| eventstats sum(count) as perc | eval perc=round(count*100/perc,2)

I get output like below,
Compliance count perc(in %)
False 8 30.77
Missing 5 19.23
True 13 50.00

Here i need to take false if it goes above 50 % OR True if it goes below 50 % in custom alert

Please help me in it mayurr98

0 Karma

mayurr98
SplunkTrust
SplunkTrust

so your trigger condition should be

 search (Compliance="False" AND perc>50) OR (Compliance="True" AND perc<50)
0 Karma

umsundar2015
Path Finder

I am not getting the alert triggered.I tried with one condition too.

0 Karma

mayurr98
SplunkTrust
SplunkTrust

put this at the end of your search

index=demo |eval name=lower(name)|fillnull value=Null|search eligibility="" Appliance="" |stats count by Compliance| eventstats sum(count) as perc | eval perc=round(count*100/perc,2) | search (Compliance="False" AND perc>50) OR (Compliance="True" AND perc<50)

And see if you are getting results.
If yes then save this search as an alert and leave trigger condition as default.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!