Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extra conditional search based on eval result
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ozirus
Path Finder
09-19-2016
04:11 AM
Hi,
I've a periodic anomaly detection search (alert) query that results like this in inline mail result table;
AVERAGE,PRESENT,THRESHOLDEXCEED
6836 ,15775 , YES
(bold ones are field names)
if there is no THRESHOLDEXCEED value, then alert doesn't trigger
My query that calculates thresholdexeed value is like this;
host="AVGMAILCOUNT" date_wday = [|stats count | eval A=strftime(now(),"%A") | return $A] | addinfo | eval saat=strftime(info_search_time,"%H") | eval dakka=strftime(info_search_time,"%M") | eval sonuc=if( date_hour == saat AND date_minute == dakka, "Evet","Hayır") | rename EXTRA_FIELD_3 as AVERAGE|search sonuc=Evet | stats values(*) as * | appendcols [search index=mailindex earliest=-10m | stats count as PRESENT] | where isnotnull(AVERAGE) AND isnotnull(PRESENT) | table AVERAGE, PRESENT| eval THRESHOLDEXCEED =if(PRESENT> AVERAGE*4, "YES","NO")
If THRESHOLDEXCEED is YES, I also want to trigger a completely different query and append it to alert mail (as inline table)
Query i want to include;
index=mailindex earliest=-10m | stats count by subject | sort -count
How can i achieve this?
Thanks so much,
Regards
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-19-2016
07:46 AM
Give this a try
host="AVGMAILCOUNT" date_wday = [|stats count | eval A=strftime(now(),"%A") | return $A] | addinfo | eval saat=strftime(info_search_time,"%H") | eval dakka=strftime(info_search_time,"%M") | eval sonuc=if( date_hour == saat AND date_minute == dakka, "Evet","Hayır") | rename EXTRA_FIELD_3 as AVERAGE|search sonuc=Evet | stats values(*) as * | appendcols [search index=mailindex earliest=-10m | stats count as PRESENT] | where isnotnull(AVERAGE) AND isnotnull(PRESENT) | table AVERAGE, PRESENT| eval THRESHOLDEXCEED =if(PRESENT> AVERAGE*4, "YES","NO") | append [search index=mailindex earliest=-10m | stats count by subject | sort -count] | eventstats values(THRESHOLDEXCEED) as THRESHOLDEXCEED | where THRESHOLDEXCEED="YES"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-19-2016
07:46 AM
Give this a try
host="AVGMAILCOUNT" date_wday = [|stats count | eval A=strftime(now(),"%A") | return $A] | addinfo | eval saat=strftime(info_search_time,"%H") | eval dakka=strftime(info_search_time,"%M") | eval sonuc=if( date_hour == saat AND date_minute == dakka, "Evet","Hayır") | rename EXTRA_FIELD_3 as AVERAGE|search sonuc=Evet | stats values(*) as * | appendcols [search index=mailindex earliest=-10m | stats count as PRESENT] | where isnotnull(AVERAGE) AND isnotnull(PRESENT) | table AVERAGE, PRESENT| eval THRESHOLDEXCEED =if(PRESENT> AVERAGE*4, "YES","NO") | append [search index=mailindex earliest=-10m | stats count by subject | sort -count] | eventstats values(THRESHOLDEXCEED) as THRESHOLDEXCEED | where THRESHOLDEXCEED="YES"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ozirus
Path Finder
09-19-2016
11:45 AM
When I do this, it works as expected in the result window but it sends one mail for each result row. How can i consolidate them as one table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-19-2016
12:13 PM
Check your email alert setting, you might be sending "One alert per result". ( check "Alert options" )
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Monitoring AI Agents with Splunk Observability Cloud
Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...
[Puzzles] Solve, Learn, Repeat: Tiling
This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...
SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...
Thursday, July 9, 2026 | 11:00AM–12:00PM PDT
Duration: 1 hour (includes Q&A)
Managing can feel like a ...
