- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Manage alert threshold and rows returned all withi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This kind of spiraled as I was helping a coworker with an alert they had all the duration and times hardcoded in the query of the alert.
The easiest way to describe what I am trying to do would be if Splunk allowed you to configure an alert for
where value>X and rows returned > y
So an alert for the sum of action durations by time could be managed without specifying the duration threshold or time within the query but with the custom trigger condition within the alert.
Has anyone run into this and figured it out?
Basically I am now trying to work in a single stanza at the end of a query (which I can use as the custom condition in the alert) to evaluate the rows returned based on the value per row in the result set
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I think I figured this out. I end the base search in the alert like this(its pretty verbose in the field names to help me remember things)
| bin span=1m _time
| stats exactperc95(DurationTotal) AS p95Duration by date_minute Action
| outlier
| addtotals labelfield=Action label=Total
| stats sum(Total) as DurationTotal dc(date_minute) as consecutive_minutes_in_violation by date_minute
and the custom condition in the alert
| where DurationTotal>270000 | streamstats sum(consecutive_minutes_in_violation) AS consecutive_minutes_in_violation| search consecutive_minutes_in_violation>1
This allows not only the Duration threshold to be edited but also the consecutive minutes it crossed the threshold independent of the search time frame. Nothing therefor is hard coded in the actual alert query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I think I figured this out. I end the base search in the alert like this(its pretty verbose in the field names to help me remember things)
| bin span=1m _time
| stats exactperc95(DurationTotal) AS p95Duration by date_minute Action
| outlier
| addtotals labelfield=Action label=Total
| stats sum(Total) as DurationTotal dc(date_minute) as consecutive_minutes_in_violation by date_minute
and the custom condition in the alert
| where DurationTotal>270000 | streamstats sum(consecutive_minutes_in_violation) AS consecutive_minutes_in_violation| search consecutive_minutes_in_violation>1
This allows not only the Duration threshold to be edited but also the consecutive minutes it crossed the threshold independent of the search time frame. Nothing therefor is hard coded in the actual alert query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i might be completely off here and misunderstanding your question but if you have 2 conditions you would like to set an alert by, maybe use a sub-search? here is a very general example:
your first search | appendcols [search that's finds stuff / matches condition | eval condition=True| return condition] | search condition=True
If number of results >= 1, trigger alert
credit for the approach to @jkat54
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you understood, but I wanted to not have any of the conditions within the actual search itself, only the alert condition. I got it working though with the solution below.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
very good then.
kindly mark your answer as answered.
well done
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
