Splunk Search

How to trigger an custom alert condition of multiples from the basic search of Splunk?

AjayTakur
Loves-to-Learn Everything
I am new to Splunk and facing an issue while setting up the custom alert. The results as shown in Table 1.

0.png
I have tried the one which is highlighted in red color below is not working. 
0.png

How do I configure for both of the values ie., DCOEtransfercount and NDMCopycount?

Note: Ignore the DCOEtransfercount and NDMCopycount labels in both of the tables.


0 Karma

richgalloway
SplunkTrust
SplunkTrust

I've had the best results by putting the trigger criteria in the search and then have the alert trigger when the number of results is not zero.

<<your search>>
| where (DCOEtransfercount=1 AND NDNCopycount=1)

It's also possible your current settings would work by changing "and" to "AND" in the trigger condition.

---
If this reply helps you, Karma would be appreciated.
0 Karma

AjayTakur
Loves-to-Learn Everything

By putting the trigger criteria in the search
<<your search>>
| where (DCOEtransfercount=1 AND NDNCopycount=1)
is also getting events irrespective of whether the value is 1/2/3 for both the DCOEtransfercount AND NDNCopycount. It seems that the where a condition is not working.

0 Karma

AjayTakur
Loves-to-Learn Everything

By changing "and" to "AND" in the trigger condition does not work. since I assume the table has multiple rows each for DCOEtransfercount & NDNCopycount. hence it is not working. how do those two conditions together make it work with different rows?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Changing "and" to "AND" is simply a syntactic fix since the logical operator must be uppercase so lowercase "and" would search for the string "and" in your results.

Anyway, your requirement seems a bit vague so it would be best if you shared (anonymized if needed) sample of output of your scheduled search and explained when you would like the alert triggered.

0 Karma

AjayTakur
Loves-to-Learn Everything

The trigger condition is 

DCOEtransfercount=1 AND NDNCopycount=1


Search query is

...
| append [search index="pd" "successful" "notif/output/"
  | stats count as DtransferCount by _raw 
  | fields DtransferCount 
  | rename _raw as Dtransfer] 
| append [search index="pd" "SBID=nr" "DM" "PAM=sende" "notif/archive/" 
  | stats count as DMCopyCount by _raw 
  | fields DMCopyCount
  | rename _raw as DMCopy]

Results are:
11.png

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. So your options are:

1. Rework your search so that the results are aggregated into single event so that you can compare different fields within a single event or

2. Use something like |stats values in your condition search to "compress" the results and then compare aggregated fields.

0 Karma

AjayTakur
Loves-to-Learn Everything

Could you provide me with the query using option 2..

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Something like

stats  values(*) as * | where DCOEtransfercount=1 AND NDNCopycount=1

as the alert condition.

Might need further tweaking if you expect multiple result rows in your original results.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...