Re: email alert condition

jvmerilla · ‎10-25-2018

Hi,
I have an email alert that will send a table with a field Status.
Now, I need to send this email every hour starting from 8am, until all values of Status is equal to 100%.
If all Status is equals to 100% it should stop sending email.

Is this possible to do in email alert?

Thanks in advance!

renjith_nair · ‎10-25-2018

@jvmerilla,
Yes, schedule it for every hour and add a condition to the search or alert where Status<=100 . In this case, when status is 100 , then the alert won't be triggered.

Happy Splunking!

jvmerilla · ‎10-25-2018

Hi @renjith.nair,

Would it work if I have for example 10 events.
For example by 8am, only 2 the events have Status=100%, so it will send alert containing all the events, including the Status=100% and Status!=100%.
But when every event has Status=100%, is should stop sending email.

renjith_nair · ‎10-25-2018

@jvmerilla,
Yes , we can do it by adding this to your search (remove the previous where Status<100)

"your search to get all the events with Status"|eventstats count(eval(if(Status=100,1,null()))) as count_by_status,count as total|where count_by_status!=total|fields Status

Below is a run anywhere example. Try it by changing the values of Status (100,90,80)

|makeresults|eval Status="100,90,80"|makemv Status delim=","|mvexpand Status
|eventstats count(eval(if(Status=100,1,null()))) as count_by_status,count as total|where count_by_status!=total|fields Status

Happy Splunking!

email alert condition

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!