Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to trigger custom alert with source condition

PotatoDataUser
Explorer
a month ago

I have a index with 7 sources of which I utilize 4 sources.

The alert outputs data to a lookup file as its alert function and is written something like this.

index=my_index  source=source1 OR source=source2 OR source=source3 OR source=source4
stats commands
eval commands
table commands etc.

I want to configure the alert to run only when all the four sources are present.
I tried doing this.

PotatoDataUser_1-1731928388752.png

But the alert isnt running even when all 4 sources are present.

Please help me on how to configure this.



Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
a month ago

Is your search wide enough to cover events from all four sources? Does the alert trigger if you reduce it to 3?

0 Karma
Reply

PotatoDataUser
Explorer
a month ago

Yes the search covers all 4 sources, when I run the search manually and check the events I see all the 4 sources present.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...