Splunk Search

Manage alert threshold and rows returned all within the custom condition in the alert

Builder

This kind of spiraled as I was helping a coworker with an alert they had all the duration and times hardcoded in the query of the alert.

The easiest way to describe what I am trying to do would be if Splunk allowed you to configure an alert for

where value>X and rows returned > y

So an alert for the sum of action durations by time could be managed without specifying the duration threshold or time within the query but with the custom trigger condition within the alert.

Has anyone run into this and figured it out?

Basically I am now trying to work in a single stanza at the end of a query (which I can use as the custom condition in the alert) to evaluate the rows returned based on the value per row in the result set

0 Karma
1 Solution

Builder

Ok I think I figured this out. I end the base search in the alert like this(its pretty verbose in the field names to help me remember things)

| bin span=1m _time
| stats exactperc95(DurationTotal) AS p95Duration by date_minute Action 
| outlier
| addtotals labelfield=Action label=Total 
| stats sum(Total) as DurationTotal dc(date_minute) as consecutive_minutes_in_violation by date_minute 

and the custom condition in the alert

| where DurationTotal>270000 | streamstats sum(consecutive_minutes_in_violation) AS consecutive_minutes_in_violation| search consecutive_minutes_in_violation>1

This allows not only the Duration threshold to be edited but also the consecutive minutes it crossed the threshold independent of the search time frame. Nothing therefor is hard coded in the actual alert query.

View solution in original post

0 Karma

Builder

Ok I think I figured this out. I end the base search in the alert like this(its pretty verbose in the field names to help me remember things)

| bin span=1m _time
| stats exactperc95(DurationTotal) AS p95Duration by date_minute Action 
| outlier
| addtotals labelfield=Action label=Total 
| stats sum(Total) as DurationTotal dc(date_minute) as consecutive_minutes_in_violation by date_minute 

and the custom condition in the alert

| where DurationTotal>270000 | streamstats sum(consecutive_minutes_in_violation) AS consecutive_minutes_in_violation| search consecutive_minutes_in_violation>1

This allows not only the Duration threshold to be edited but also the consecutive minutes it crossed the threshold independent of the search time frame. Nothing therefor is hard coded in the actual alert query.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

i might be completely off here and misunderstanding your question but if you have 2 conditions you would like to set an alert by, maybe use a sub-search? here is a very general example:

your first search | appendcols [search that's finds stuff / matches condition | eval condition=True| return condition] | search condition=True

If number of results >= 1, trigger alert
credit for the approach to @jkat54
hope it helps

0 Karma

Builder

I think you understood, but I wanted to not have any of the conditions within the actual search itself, only the alert condition. I got it working though with the solution below.

0 Karma

SplunkTrust
SplunkTrust

very good then.
kindly mark your answer as answered.
well done

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!