Splunk Observability Cloud
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to create a custom event detector?

niemi_splunk
Explorer
‎11-02-2022 01:57 AM

Hi,

I want to create a detector based on a custom event ingested using the API. I can select the eventType value as the signal but the conditions are all about signal values which obviously do not apply to an event.  

Any ideas?

Labels (1)
Reply

neilh
Engager
‎05-25-2023 03:33 AM

I would also like to know this. This seems like an obvious use case, but I can find no  information about how to achieve this in the documentation. 

If this is not possible, it makes the whole concept of custom events pretty useless IMO.

@niemi_splunk did you ever find a solution for this?

 

@bishida  @jha @matt  Do you know if this is possible?

Thanks

0 Karma
Reply

niemi_splunk
Explorer
‎05-25-2023 04:25 AM

I turned to write the events into a log file and used Log Pipeline Management to Metriczise them

0 Karma
Reply

neilh
Engager
‎05-25-2023 05:01 AM

Thanks for the response @niemi_splunk , much appreciated. 

Glad you found a working around. Unfortunately this won't work for me, as we're using Log Observer Connect, and Log Management Pipelines are not available, neither are metricised logs (unlike with the Log Observer entitlement).

I will wait and see if the others I tagged have any suggestions. 

0 Karma
Reply

bishida
Splunk Employee
Splunk Employee
‎05-25-2023 08:57 AM

Hi neilh,

I might be able to help point you in the right direction if I understand your use case better. Could you describe your scenario, what it is you're monitoring, and what you're trying to detect? We might just need a different approach to achieve your goal.

Generally speaking, detectors are built from signals and events add context to signals. So, events and signals are not the same thing.  Detectors can monitor signals and they can create events.

Here is a snippet from this documentation page that may help clarify.

https://docs.splunk.com/Observability/alerts-detectors-notifications/create-detectors-for-alerts.htm...

bishida_0-1685029645521.png

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...