Solved: Re: How to create a search for Splunk alerts for d...

wicke_s · ‎06-14-2019

I am trying to create a splunk alert for duplicate data and would like some help in creating the splunk search. The data looks something like this for a giving search time duration

Server    Ping         ID
ref0120   60           125gt
ref0125   53           456hy
ref0365   45           125gt
ref0012   32           526yu

The alert should look for the following:
1. If I get more than 1 event for the same ID in the specified duration, Trigger an alert
2. In our example, we have 2 events with the same ID '125gt'. I want an alert to be triggered when this happens.

Any help would be greatly appreciated!

richgalloway · ‎06-14-2019

Search for events and count them by ID. Eliminate those with a count of 1. If you get any results, trigger and alert.

<your search for events> | stats count, values(Server) as Server, values(Ping) as Ping by ID | where count > 1

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-14-2019

Search for events and count them by ID. Eliminate those with a count of 1. If you get any results, trigger and alert.

<your search for events> | stats count, values(Server) as Server, values(Ping) as Ping by ID | where count > 1

---
If this reply helps you, Karma would be appreciated.

wicke_s · ‎06-14-2019

This is awesome! I tested this and it works perfectly.

Thanks for your time!

How to create a search for Splunk alerts for duplicate events?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms