Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What should be the search string and trigger alert condition for below mentioned alert scheduling scenario.

Snehaan
Explorer
‎08-26-2020 08:34 AM

Hi All,

I have a search string like below: 

index=qrp STAGE IN ("*_LDD",TRADE_EVENT,SOPHIS_TRANS,SOPHIS_INSTR,ORDER_EVENT)
| timechart useother=f span=1h sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE
| fillnull value=0

And the result screenshot is below. The AR1, BE1 ect are source system codes and the numerical values for each source system in the rows are the aggregate trade counts for respective source system at that time span starting from 00:00:00 hours.

Snehaan_0-1598455181466.png

 

I want to schedule an alert at 8 a.m in the morning which should get triggered when the whole summation of the trade aggregates values from 00:00:00 hours till 08:00:00 hours for each source system is not more that threshold 2000. 

For example, in the above screenshot, we can see the summation of trades for source system MXT is 1030 between 00:00:00 till 08:00:00 hours which is below threshold and alert email notification should be sent.

Could you please help with how to set up my search string and what should be my alert triggering condition?

Thanks in advance. Your help is much appreciated. 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-26-2020 09:37 AM

Timechart probably is not the best choice for an alert since you likely don't care about values over time so much as the most recent value.  Try stats, instead.

 

index=qrp STAGE IN ("*_LDD",TRADE_EVENT,SOPHIS_TRANS,SOPHIS_INSTR,ORDER_EVENT)
| bin span=1h
| stats sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE
| where TradeCount < 2000

 

You may omit the bin command if the alert is scheduled to run at 8am and has a time window of 8 hours.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-26-2020 09:38 AM

Something like set your span to 8h and then trigger the alert on custom condition of "search TradeCount < 2000"

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-26-2020 09:37 AM

Timechart probably is not the best choice for an alert since you likely don't care about values over time so much as the most recent value.  Try stats, instead.

 

index=qrp STAGE IN ("*_LDD",TRADE_EVENT,SOPHIS_TRANS,SOPHIS_INSTR,ORDER_EVENT)
| bin span=1h
| stats sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE
| where TradeCount < 2000

 

You may omit the bin command if the alert is scheduled to run at 8am and has a time window of 8 hours.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Snehaan
Explorer
‎08-27-2020 02:32 AM

Hi @richgalloway  Thank you so much for your detailed explanation with the search string. I was in need of this solution only for my business requirement.

Many thanks. 🙂

 

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...