Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extra conditional search based on eval result
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ozirus
Path Finder
09-19-2016
04:11 AM
Hi,
I've a periodic anomaly detection search (alert) query that results like this in inline mail result table;
AVERAGE,PRESENT,THRESHOLDEXCEED
6836 ,15775 , YES
(bold ones are field names)
if there is no THRESHOLDEXCEED value, then alert doesn't trigger
My query that calculates thresholdexeed value is like this;
host="AVGMAILCOUNT" date_wday = [|stats count | eval A=strftime(now(),"%A") | return $A] | addinfo | eval saat=strftime(info_search_time,"%H") | eval dakka=strftime(info_search_time,"%M") | eval sonuc=if( date_hour == saat AND date_minute == dakka, "Evet","Hayır") | rename EXTRA_FIELD_3 as AVERAGE|search sonuc=Evet | stats values(*) as * | appendcols [search index=mailindex earliest=-10m | stats count as PRESENT] | where isnotnull(AVERAGE) AND isnotnull(PRESENT) | table AVERAGE, PRESENT| eval THRESHOLDEXCEED =if(PRESENT> AVERAGE*4, "YES","NO")
If THRESHOLDEXCEED is YES, I also want to trigger a completely different query and append it to alert mail (as inline table)
Query i want to include;
index=mailindex earliest=-10m | stats count by subject | sort -count
How can i achieve this?
Thanks so much,
Regards
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-19-2016
07:46 AM
Give this a try
host="AVGMAILCOUNT" date_wday = [|stats count | eval A=strftime(now(),"%A") | return $A] | addinfo | eval saat=strftime(info_search_time,"%H") | eval dakka=strftime(info_search_time,"%M") | eval sonuc=if( date_hour == saat AND date_minute == dakka, "Evet","Hayır") | rename EXTRA_FIELD_3 as AVERAGE|search sonuc=Evet | stats values(*) as * | appendcols [search index=mailindex earliest=-10m | stats count as PRESENT] | where isnotnull(AVERAGE) AND isnotnull(PRESENT) | table AVERAGE, PRESENT| eval THRESHOLDEXCEED =if(PRESENT> AVERAGE*4, "YES","NO") | append [search index=mailindex earliest=-10m | stats count by subject | sort -count] | eventstats values(THRESHOLDEXCEED) as THRESHOLDEXCEED | where THRESHOLDEXCEED="YES"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-19-2016
07:46 AM
Give this a try
host="AVGMAILCOUNT" date_wday = [|stats count | eval A=strftime(now(),"%A") | return $A] | addinfo | eval saat=strftime(info_search_time,"%H") | eval dakka=strftime(info_search_time,"%M") | eval sonuc=if( date_hour == saat AND date_minute == dakka, "Evet","Hayır") | rename EXTRA_FIELD_3 as AVERAGE|search sonuc=Evet | stats values(*) as * | appendcols [search index=mailindex earliest=-10m | stats count as PRESENT] | where isnotnull(AVERAGE) AND isnotnull(PRESENT) | table AVERAGE, PRESENT| eval THRESHOLDEXCEED =if(PRESENT> AVERAGE*4, "YES","NO") | append [search index=mailindex earliest=-10m | stats count by subject | sort -count] | eventstats values(THRESHOLDEXCEED) as THRESHOLDEXCEED | where THRESHOLDEXCEED="YES"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ozirus
Path Finder
09-19-2016
11:45 AM
When I do this, it works as expected in the result window but it sends one mail for each result row. How can i consolidate them as one table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-19-2016
12:13 PM
Check your email alert setting, you might be sending "One alert per result". ( check "Alert options" )
Get Updates on the Splunk Community!
Accelerating Observability as Code with the Splunk AI Assistant
We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Splunk is More Than Just the Web Console
For Digital Forensics and Incident Response (DFIR) practitioners, ...
Congratulations to the 2025-2026 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
