Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to trigger an alert if 3 consecutive search results reach a certain threshold?

snehalk
Communicator
‎08-11-2015 05:11 AM

Hello All,

I have one requirement where an alert needs to be triggered after three continuous search results reach a certain threshold.

Eg: am pulling table from an Oracle database which has two columns: one is time and other is reportnumber. The requirement is, if the reportnumber increases above 45 continuously, then the alert needs to be triggered (Note: data is pulling from database every 5 min)

Below is the search I'm using currently, but it's not working as expected.

index=myindex sourectype=mydata | where reportnumber>45

Note: Alert frequency is every 15 min

Can any one help me on this ?

Thanks in advance

0 Karma
Reply

woodcock
Esteemed Legend
‎08-11-2015 08:09 AM

Use this search every 5 minutes as an Alert with timeframes from -15m@m to now:

index=myindex sourectype=mydata | timechart span=5m max(reportnumber) AS reportnumber | where reportnumber>45 | stats count AS HowManyOfLastThreeAreGreaterThan45

Then set the trigger to a Custom Condition of HowManyOfLastThreeAreGreaterThan45>=3

Reply

snehalk
Communicator
‎08-11-2015 09:47 AM

Hello woodcock,

Thanks for reply, when i configure above search and while creating alert am getting below error

Cannot parse alert condition. Unknown search command HowManyOfLastThreeAreGreaterThan45

Please let me know where am going wrong

0 Karma
Reply

woodcock
Esteemed Legend
‎08-11-2015 11:13 AM

Oops, change it to where HowManyOfLastThreeAreGreaterThan45>=3.

0 Karma
Reply

snehalk
Communicator
‎08-12-2015 05:35 AM

Hello woodcock,

Thanks for reply, will try this and test the alert.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-11-2015 05:47 AM

Yes, put in your search, then go to 'Save As'>Alert

Give it a title, description, Alert type should be 'Scheduled', time range should be 'Run on a CRON Schedule'

Earliest = -15m@m
Latest = @m
Cron Expression = * * * * *
Trigger if number of results 'is greater than 45'

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...