Splunk Cloud Platform
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to trigger custom alert with source condition

PotatoDataUser
Explorer
‎11-18-2024 03:16 AM

I have a index with 7 sources of which I utilize 4 sources.

The alert outputs data to a lookup file as its alert function and is written something like this.

index=my_index  source=source1 OR source=source2 OR source=source3 OR source=source4
stats commands
eval commands
table commands etc.

I want to configure the alert to run only when all the four sources are present.
I tried doing this.

PotatoDataUser_1-1731928388752.png

But the alert isnt running even when all 4 sources are present.

Please help me on how to configure this.



Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-18-2024 03:33 AM

Is your search wide enough to cover events from all four sources? Does the alert trigger if you reduce it to 3?

0 Karma
Reply

PotatoDataUser
Explorer
‎11-18-2024 03:36 AM

Yes the search covers all 4 sources, when I run the search manually and check the events I see all the 4 sources present.

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top