Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I create an alert to trigger at discrete intervals?

neiljpeterson
Communicator
‎03-07-2018 04:13 PM

I would like to configure an alert that triggers every X increase in a count field Y.

To the user this would look like

"count is now at 1000!"

[15 mins goes by]

"count is now at 2000!"

[5 mins goes by]

"count is now at 3000!"

5 mins is my search interval.

I don't want an alert at a regular interval. I only want it to trigger if it is X greater than the last alert.

I realize there is a "number of results rises by" trigger condition, but my search outputs a table with a count field I would like to use instead of raw count of events.

Seems like a simple thing, but I can't figure how to do this without searching _internal and scheduler for the last triggered alert which seems messy.

Please help! Much appreciated.

thanks

Neil

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-12-2019 01:03 PM

@neiljpeterson Is your problem resolved? If so, please accept an answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

janispelss
Path Finder
‎03-08-2018 06:19 AM

If you' re using at least Splunk version 7.0.0, you could use the "Output results to lookup" alert action. You would create a lookup with the initial threshold, and change the alert search query to use that lookup to get the threshold. Once the alert triggers, it would save the results in the lookup to be used the next time the search is scheduled to run.
The exact implementation would depend on what exactly you want to do.

0 Karma
Reply

anjambha
Communicator
‎03-07-2018 11:52 PM

Hi neiljpeterson,

Can you share sample output data.

if your sample data or query output something like as below then you can refer below query.

Sample Data : 

source,count
/opt/splunk/var/log/splunk/splunkd.log,7

Query:

earliest=-5m index="_internal" source="/opt/splunk/var/log/splunk/splunkd.log" | stats count as "Current_Count" by source | eval Last_alert_count = [search earliest=-10m latest=-5m index="_internal" source="/opt/splunk/var/log/splunk/splunkd.log" | stats count by source | return $count] | where Current_Count > Last_alert_count

also if your first column (x axis) has multiple values and same then you can try this.

earliest=-5m index="_internal" | stats count as "Current_Count" by source | join source [search earliest=-10m latest=-5m index="_internal"  | stats count as last_count by source] | where Current_Count > last_count
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...