Re: How to create a single alert for multiple erro...

shady6 · ‎03-09-2023

Following is my query:

index=backup | stats count by errors

I have thousands of error codes in logs and I need to trigger a unique alert for each error code. Is it possible to create a single alert? I have saved the above query with "for each result" option but still get only one trigger with all the error codes.

Tom_Lundie · ‎03-09-2023

I can't recreate your issue.

Using this run anywhere example:

| makeresults count=100
| eval e = substr(tostring(random()), -1)
| eval errors = case(e <= 2, "Error1", e <= 5, "Error2", e <= 8, "Erro3" , 1=1, "Error4")
| stats count by errors

I set up an alert with a send email action and set the alert to be "For each result". I subsequently received four emails.

Make sure you're not throttling the alert, and make sure "For each result" is definitely set.

If you still have no luck then I suspect you could be hitting a bug? Can you share your Splunk version and a screenshot of the alert and I'll see if I can recreate it.

How to create a single alert for multiple error codes

count

fields

stats

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Data Persistence in the OpenTelemetry Collector

Thanks for the Memories! Splunk University, .conf25, and our Community

Are you a member of the Splunk Community?