All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Triggers alerts with differents conditions on the result

arnauld18
Explorer
‎11-03-2020 05:47 AM

How can i trigger my alert with different conditions on the result?

i want my alert not to be triggered if i have more than 9 results.

so i put this:  search count<9.

The problem is, even when there is no result in the search, like 0, the alert keep being triggered.

so i try this:  search count>0 and count<9. 

And it doesn't work.. can someone please help me?

Labels (3)
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎11-03-2020 06:14 AM

Hi @arnauld18 ...Please check .. 


try: base search |  where count<9 

and Alert condition --- When number of events > 0

or, try this--- base search | where count>0 AND count<9

 

~ Happy Splunking | Best Regards | Sekar | PS - Karma points appreciated! 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-03-2020 06:32 AM

Hi @arnauld18,

insert the conditions in the main search and fire the alert when you have results, something like this:

 

your search
| stats count
| where count<9

 

in this way:

  • if you have results, there's the condition to be fired in the alert,
  • if there isn't any result (count=0 or count>= 9) the aler isn't fired.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

arnauld18
Explorer
‎11-03-2020 06:48 AM

Thank you

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-03-2020 06:51 AM

Hi @arnauld18,

if one solution solves your need, please accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎11-03-2020 06:14 AM

Hi @arnauld18 ...Please check .. 


try: base search |  where count<9 

and Alert condition --- When number of events > 0

or, try this--- base search | where count>0 AND count<9

 

~ Happy Splunking | Best Regards | Sekar | PS - Karma points appreciated! 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

arnauld18
Explorer
‎11-03-2020 06:42 AM

Thank you. I'm trying it rn

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...