hello,
I would like to ask a question on how to assign the value to another variable and set an alert.
I have a this data output from Splunk.
I would like to assign the value to another variables and set an alert when the value become(s) is greater than a threshold like 10 or 20.
for example
when TX_UPS value >= 10, then I send an alert.
how should I approach this in Splunk Alert job?
shipper count
TX_UPS 10
TX_USPS 15
TX_FedEx 5
CO_UPS 5
CO_USPS 9
CO_FedEx 2
MO_UPS 5
MO_USPS 20
MO_FedEx 3
GA_UPS 15
GA_USPS 10
GA_FedEx 5
PA_UPS 9
PA_USPS 21
PA_FedEx 8
NY_UPS 30
NY_USPS 99
NY_FedEx 20
index=main AND "*TRACKING*"
| stats count by shipper
This seems pretty straightforward so I must be missing something. This query will trigger an alert if any shipper has a count greater than 10, provided the alert is set to trigger when there are more than zero results.
index=main AND "*TRACKING*"
| stats count by shipper
| where count > 10
Thank you richgalloway for your input.
However, I need to know the shipper name that becomes above the threshold.
since there a multiple shippers, I need to specify which shipper has greater than the threshold.
your solution "where count > 10" doesn't tell me which shipper name though.
My guess would be I need to assign each shipper value
for example:
| eval TX_UPS_VAL = (count AND where shipper = TX_UPS)
does it make sense?
Did you TRY the query?
The command | stats count by shipper does indeed specify the shipper name.
The command | where count > 10 merely removes those results with a count less than or equal to ten.
You should end up with something like this:
shipper count
TX_USPS 15
MO_USPS 20
GA_UPS 15
PA_USPS 21
NY_UPS 30
NY_USPS 99
NY_FedEx 20
It works great.
Thank you for your help.