Reporting

alert condition if number of events is NOT equal

klee310
Communicator

I am trying to setup a saved-search with email alert; with the following Alert Conditions properties:

  • Perform actions: if number of events...
  • is 'not equal to' threshold: '25'

but I can't seem to find this 'not equal' property anywhere. The only properties I can select from the list are: is greater than, is less than, is equal to, drops by, and rises by.

Any advice is greatly appreciated

0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Are you really saying that you want the email sent if there are 24 events, or 26 events, or 1 event, or 2000 events, but if there are exactly 25 events, then you are not told about it? That's unusual.

The custom condition in this case would just be something like | stats count | where count!=25

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Are you really saying that you want the email sent if there are 24 events, or 26 events, or 1 event, or 2000 events, but if there are exactly 25 events, then you are not told about it? That's unusual.

The custom condition in this case would just be something like | stats count | where count!=25

klee310
Communicator

for a regular saved-search, its called 'alert_threshold', accompanied by a bunch of other variables, 'actions', 'alert_comparator', 'alert_condition', etc.. this can all be see from https://localhost:8089/servicesNS/nobody/myApp/saved/searches. If i simply used a regular condition, say 'is greater than', there is an additional text-box to fill in this value (on the dummy-settings-form). thanks for the reply anyways.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Well where does this value come from?

0 Karma

klee310
Communicator

yes, this is a saved search - with email alert. but if i choose the default options, such as 'if number of events' 'is greater than', i can also put a threshold value. They key of this problem is that '25' is an unknown value. How would i reference this value from within my custom condition if this is the case?

0 Karma

hazekamp
Builder

I think klee means a saved search that alerts via email.?!

0 Karma

klee310
Communicator

if I go with the custom-condition route, how would i access the a value similar to the threshold variable from within the condition?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...