Solved: Re: How to trigger an alert if there is no event2 ...

kiran331 · ‎05-19-2016

Hi all,

I have to trigger an alert for event=1, if there is no event=2 within 30min of event=1. Search I'm using:

index="abc" (EVENT=1 OR EVENT=2)| transaction MACHINE startswith=(EVENT=1) endswith=(EVENT=2)|where duration> 1800 | table  duration  EVENT MACHINE NAME DESCR

It's working only if have an event=2. What is best the best way to achieve it?

somesoni2 · ‎05-19-2016

Try this

index="abc" (EVENT=1 OR EVENT=2)| transaction MACHINE startswith=(EVENT=1) endswith=(EVENT=2) keepevicted=t |where duration> 1800 OR ( mvcount(EVENT)=1 AND EVENT=1)| table duration EVENT MACHINE NAME DESCR

View solution in original post

somesoni2 · ‎05-19-2016

Try this

index="abc" (EVENT=1 OR EVENT=2)| transaction MACHINE startswith=(EVENT=1) endswith=(EVENT=2) keepevicted=t |where duration> 1800 OR ( mvcount(EVENT)=1 AND EVENT=1)| table duration EVENT MACHINE NAME DESCR

kiran331 · ‎05-19-2016

Can you let me know how mvcount is working here, and if i schedule this alert to run every 5 min it will trigger when there is no event=2 within 1800s right?

diogofgm · ‎05-19-2016

mvcount is counting the number of values in a multivalued field

You can check more info here

------------
Hope I was able to help you. If so, some karma would be appreciated.

How to trigger an alert if there is no event2 within 30 minutes of event1?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor