Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

alert condition if number of events is NOT equal

klee310
Communicator
‎04-06-2011 04:30 AM

I am trying to setup a saved-search with email alert; with the following Alert Conditions properties:

  • Perform actions: if number of events...
  • is 'not equal to' threshold: '25'

but I can't seem to find this 'not equal' property anywhere. The only properties I can select from the list are: is greater than, is less than, is equal to, drops by, and rises by.

Any advice is greatly appreciated

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-06-2011 06:00 AM

Are you really saying that you want the email sent if there are 24 events, or 26 events, or 1 event, or 2000 events, but if there are exactly 25 events, then you are not told about it? That's unusual.

The custom condition in this case would just be something like | stats count | where count!=25

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-06-2011 06:00 AM

Are you really saying that you want the email sent if there are 24 events, or 26 events, or 1 event, or 2000 events, but if there are exactly 25 events, then you are not told about it? That's unusual.

The custom condition in this case would just be something like | stats count | where count!=25

Reply
Solved! Jump to solution

klee310
Communicator
‎04-06-2011 01:36 PM

for a regular saved-search, its called 'alert_threshold', accompanied by a bunch of other variables, 'actions', 'alert_comparator', 'alert_condition', etc.. this can all be see from https://localhost:8089/servicesNS/nobody/myApp/saved/searches. If i simply used a regular condition, say 'is greater than', there is an additional text-box to fill in this value (on the dummy-settings-form). thanks for the reply anyways.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-06-2011 08:05 AM

Well where does this value come from?

0 Karma
Reply
Solved! Jump to solution

klee310
Communicator
‎04-06-2011 07:48 AM

yes, this is a saved search - with email alert. but if i choose the default options, such as 'if number of events' 'is greater than', i can also put a threshold value. They key of this problem is that '25' is an unknown value. How would i reference this value from within my custom condition if this is the case?

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎04-06-2011 06:40 AM

I think klee means a saved search that alerts via email.?!

0 Karma
Reply
Solved! Jump to solution

klee310
Communicator
‎04-06-2011 04:32 AM

if I go with the custom-condition route, how would i access the a value similar to the threshold variable from within the condition?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...