All Apps and Add-ons

How to trigger alerts on value of a custom field

Path Finder

HI ,

My search is ,
index=demo |eval name=lower(name)|fillnull value=Null|replace True with Compliant False with "Non_Compliant" in Compliance |search eligibility=* Appliance="*" |stats count by Compliance

This gives me output like ,
Complaint 85
Non-Compliant 40
Missing 10

Here i need to create a cutom alert(email to be sent) whenever compliant is < 95%.I was not able to do this.

Regards,
Sundar

0 Karma

SplunkTrust
SplunkTrust

If you want to create an alert based on a specific value which is Complaint in your case then filter that field in your search results:

You can try this search

index=demo |eval name=lower(name)|fillnull value=Null|replace True with Compliant False with "Non_Compliant" in Compliance |search eligibility= Appliance="" Compliance="Complaint" |stats count by Compliance

Then set a trigger conditions as Trigger alert when custom search count<95

If you want to stick to your query then you can try something like
Set a trigger conditions as Trigger alert when custom search Compliance="Complaint" AND count<95

let me know if this helps!

0 Karma

Path Finder

Thanks for your reply.

Compliance is the field which has all the values in it like compliant , non-Compliant etc.Here my requirement is to get the alert when compliant is < 95 % .

When use Compliance =Compliant then, it will have total of all the 4 values in Compliance rit .I need for Compliant alone in Compliance field .

Please suggest me way mayurr98.

0 Karma

SplunkTrust
SplunkTrust

No, when you write Compliance="Complaint" before the stats command it will have only one value called Compliant in that case you need to set custom trigger condition as

search count<95

If you have 4 values in the Compliance field then you need to set custom trigger condition as

search Compliance="Complaint" AND count<95
0 Karma

Path Finder

HI Thank you.It works

Can you help me with this code ,
index=demo |eval name=lower(name)|fillnull value=Null|search eligibility="" Appliance="" |stats count by Compliance| eventstats sum(count) as perc | eval perc=round(count*100/perc,2)

I get output like below,
Compliance count perc(in %)
False 8 30.77
Missing 5 19.23
True 13 50.00

Here i need to take false if it goes above 50 % OR True if it goes below 50 % in custom alert

Please help me in it mayurr98

0 Karma

SplunkTrust
SplunkTrust

so your trigger condition should be

 search (Compliance="False" AND perc>50) OR (Compliance="True" AND perc<50)
0 Karma

Path Finder

I am not getting the alert triggered.I tried with one condition too.

0 Karma

SplunkTrust
SplunkTrust

put this at the end of your search

index=demo |eval name=lower(name)|fillnull value=Null|search eligibility="" Appliance="" |stats count by Compliance| eventstats sum(count) as perc | eval perc=round(count*100/perc,2) | search (Compliance="False" AND perc>50) OR (Compliance="True" AND perc<50)

And see if you are getting results.
If yes then save this search as an alert and leave trigger condition as default.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!