My alert search query is like this which runs every 5mins
index="iway_idoc" TMSG_TYPE="SAP_PLANARRIV" | table STATUS
the resultant records can have 2 different status - Delivered and Error
Now, I want to trigger an email if at-least one record with Error is found. I tried giving custom search like
search count(eval(STATUS="Error")) > 1
It didn't work 😞
Can someone help in this please ??
try something like this
index="iway_idoc" TMSG_TYPE="SAP_PLANARRIV" STATUS=Error
Alert must be triggered when results are grether than 0
In othe words: if you have results you have errors.
You could also add a command to display e.g. the host list or the module list to have in the alert more infos.
Could you try this instead:
index="iway_idoc" TMSG_TYPE="SAP_PLANARRIV" | table STATUS | search STATUS=Error | stats count
This will count the records with STATUS=Error and then you can configure your alert to trigger if the count > 0.
For aggregate/statistical operations you should use stats command: https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/SearchReference/Stats
Hope it helps!!!
index="iway_idoc" TMSG_TYPE="SAP_PLANARRIV" STATUS=Error |stats count by your_important_message_field
If you set it up as @jaime.ramirez says and write
$result.your_inportant_message_field$ in the body, you'll get better.