email alert condition

jvmerilla · ‎10-25-2018

Hi,
I have an email alert that will send a table with a field Status.
Now, I need to send this email every hour starting from 8am, until all values of Status is equal to 100%.
If all Status is equals to 100% it should stop sending email.

Is this possible to do in email alert?

Thanks in advance!

renjith_nair · ‎10-25-2018

@jvmerilla,
Yes, schedule it for every hour and add a condition to the search or alert where Status<=100 . In this case, when status is 100 , then the alert won't be triggered.

---
What goes around comes around. If it helps, hit it with Karma 🙂

jvmerilla · ‎10-25-2018

Hi @renjith.nair,

Would it work if I have for example 10 events.
For example by 8am, only 2 the events have Status=100%, so it will send alert containing all the events, including the Status=100% and Status!=100%.
But when every event has Status=100%, is should stop sending email.

renjith_nair · ‎10-25-2018

@jvmerilla,
Yes , we can do it by adding this to your search (remove the previous where Status<100)

"your search to get all the events with Status"|eventstats count(eval(if(Status=100,1,null()))) as count_by_status,count as total|where count_by_status!=total|fields Status

Below is a run anywhere example. Try it by changing the values of Status (100,90,80)

|makeresults|eval Status="100,90,80"|makemv Status delim=","|mvexpand Status
|eventstats count(eval(if(Status=100,1,null()))) as count_by_status,count as total|where count_by_status!=total|fields Status

---
What goes around comes around. If it helps, hit it with Karma 🙂

email alert condition

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Splunk and Fraud

Build Your First SPL2 App!