Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extra conditional search based on eval result
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ozirus
Path Finder
09-19-2016
04:11 AM
Hi,
I've a periodic anomaly detection search (alert) query that results like this in inline mail result table;
AVERAGE,PRESENT,THRESHOLDEXCEED
6836 ,15775 , YES
(bold ones are field names)
if there is no THRESHOLDEXCEED value, then alert doesn't trigger
My query that calculates thresholdexeed value is like this;
host="AVGMAILCOUNT" date_wday = [|stats count | eval A=strftime(now(),"%A") | return $A] | addinfo | eval saat=strftime(info_search_time,"%H") | eval dakka=strftime(info_search_time,"%M") | eval sonuc=if( date_hour == saat AND date_minute == dakka, "Evet","Hayır") | rename EXTRA_FIELD_3 as AVERAGE|search sonuc=Evet | stats values(*) as * | appendcols [search index=mailindex earliest=-10m | stats count as PRESENT] | where isnotnull(AVERAGE) AND isnotnull(PRESENT) | table AVERAGE, PRESENT| eval THRESHOLDEXCEED =if(PRESENT> AVERAGE*4, "YES","NO")
If THRESHOLDEXCEED is YES, I also want to trigger a completely different query and append it to alert mail (as inline table)
Query i want to include;
index=mailindex earliest=-10m | stats count by subject | sort -count
How can i achieve this?
Thanks so much,
Regards
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-19-2016
07:46 AM
Give this a try
host="AVGMAILCOUNT" date_wday = [|stats count | eval A=strftime(now(),"%A") | return $A] | addinfo | eval saat=strftime(info_search_time,"%H") | eval dakka=strftime(info_search_time,"%M") | eval sonuc=if( date_hour == saat AND date_minute == dakka, "Evet","Hayır") | rename EXTRA_FIELD_3 as AVERAGE|search sonuc=Evet | stats values(*) as * | appendcols [search index=mailindex earliest=-10m | stats count as PRESENT] | where isnotnull(AVERAGE) AND isnotnull(PRESENT) | table AVERAGE, PRESENT| eval THRESHOLDEXCEED =if(PRESENT> AVERAGE*4, "YES","NO") | append [search index=mailindex earliest=-10m | stats count by subject | sort -count] | eventstats values(THRESHOLDEXCEED) as THRESHOLDEXCEED | where THRESHOLDEXCEED="YES"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-19-2016
07:46 AM
Give this a try
host="AVGMAILCOUNT" date_wday = [|stats count | eval A=strftime(now(),"%A") | return $A] | addinfo | eval saat=strftime(info_search_time,"%H") | eval dakka=strftime(info_search_time,"%M") | eval sonuc=if( date_hour == saat AND date_minute == dakka, "Evet","Hayır") | rename EXTRA_FIELD_3 as AVERAGE|search sonuc=Evet | stats values(*) as * | appendcols [search index=mailindex earliest=-10m | stats count as PRESENT] | where isnotnull(AVERAGE) AND isnotnull(PRESENT) | table AVERAGE, PRESENT| eval THRESHOLDEXCEED =if(PRESENT> AVERAGE*4, "YES","NO") | append [search index=mailindex earliest=-10m | stats count by subject | sort -count] | eventstats values(THRESHOLDEXCEED) as THRESHOLDEXCEED | where THRESHOLDEXCEED="YES"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ozirus
Path Finder
09-19-2016
11:45 AM
When I do this, it works as expected in the result window but it sends one mail for each result row. How can i consolidate them as one table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-19-2016
12:13 PM
Check your email alert setting, you might be sending "One alert per result". ( check "Alert options" )
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Introduction to Splunk AI
How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...
Maximizing the Value of Splunk ES 8.x
Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...
