Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to set up an alert that triggers when a value goes above a certain threshold?

rtsquared
Explorer
‎04-25-2019 01:28 PM

In the event that I want to set up an alert on, the value I want to check against is part of the description field. The description field is one long string with quite a few different pieces of information.

One of the pieces of information, and the one I am concerned about, is 'valid_secs'. This basically means how long this thing is valid.

Here is a screenshot of what I am trying to compare against.

alt text

Is it even possible to assign that value of 15000 to a variable, so that I can put something like the following into the search bar...

When 'valid_secs' is greater than 14000, send me an alert.

Does anyone know if this is even something I can manipulate with the current working tools of splunk?

I have been messing around with spath and field extraction and am having a tough time getting this to work.

Any suggestion or even a response saying you don't think this is possible is appreciated. Thank You!

Tags (1)
Preview file
1 KB
0 Karma
Reply

rtsquared
Explorer
‎04-30-2019 02:26 PM

I just wanted to let everyone know how I figured this out.

The trick to getting this to work was using the FIELD EXTRACTOR and entering in my own custom REGULAR EXPRESSION.

JSON format can be tricky, it omits certain special characters. So I needed to view the event as "raw text" in order to see the extra backslashes that need to be accounted for.

The Regular Expression that I typed into the Field Extractor is below:

\\"valid_secs\\":\s(?\d+)

This Regular Expression was able to successfully extract the integer value that came after the words "valid_secs" and store it into its own field which I named 'valid_secs'.

Once this new field was extracted, I was able to type in the below search to get all events in which the field "valid_secs" was greater than the value 14400:

index=duo | search valid_secs>14400

I saved that search as an alert and I now get an alert every time that event is triggered.

Thank you to anyone who took the time to help and I hope this helps.

0 Karma
Reply

Alspeedo
Engager
‎04-25-2019 02:00 PM

You can use the extract fields to create a separate field for that if you see it reoccurring in multiple events.

https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/ExtractfieldsinteractivelywithIFX

After you get it extracted you can create an alert when that field is greater than your number.

Hope that helps.

Alspeedo

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...