Created a report where I need to trigger an alert ...

gsbpp · ‎06-28-2023

I have the following search

index=xoom_app_online_checkout_orchestration_api (level=ERROR AND "Failed to get open-banking realtime balance" AND issue=* ) OR event_type=OPEN_BANKING_REALTIME_BALANCE_SUCCESS | eval Issue=if(event_type=="OPEN_BANKING_REALTIME_BALANCE_SUCCESS", "OPEN_BANKING_REALTIME_BALANCE_SUCCESS", issue) | stats count as Count by Issue | eventstats sum(Count) as Total
| eval Percentage=round((Count/Total)*100,2)
| fields - Total
| sort 0 - Count | addcoltotals

I get this result:

Issue Count Percentage

OPEN_BANKING_REALTIME_BALANCE_SUCCESS	181	76.05
VALIDATION_ERROR	42	17.65
INVALID_LOGIN_CREDENTIALS	14	5.88
PERMISSION_DENIED	1	0.42
	238	100.00

I want to trigger an alert if the "Percentage" value of the row with Issue= OPEN_BANKING_REALTIME_BALANCE_SUCCESS is < 75

Could not figure out how to add a hidden filed or so... to use as the WHERE clause for the alert

ITWhisperer · ‎06-28-2023

Why do you need a hidden field, the information you need is already in the first row of the results, which you can trigger on. That is, trigger if the first issue is not OPEN_BANKING_REALTIME_BALANCE_SUCCESS OR if the first Percentage is less than 75

gsbpp · ‎06-29-2023

The table I displyed (report) is the one I want to email or slack,

I do not want extra fields to show. That is why I said hidden filed (in the sense that I do not want the report modified.

Basically, need the WHERE clause to trigger alert

ITWhisperer · ‎06-29-2023

Put the condition in the custom alert condition not as a where clause in the search.

Created a report where I need to trigger an alert depending on the value of a cell

eval

field extraction

metadata

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?