Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

assign the value to another variable and set an alert

ycho1
Explorer
‎11-23-2021 01:11 PM

hello,

I would like to ask a question on how to assign the value to another variable and set an alert.
I have a this data output from Splunk.

I would like to assign the value to another variables and set an alert when the value become(s) is greater than a threshold like 10 or 20.

for example
when TX_UPS value >= 10, then I send an alert.

how should I approach this in Splunk Alert job?


shipper count
TX_UPS 10
TX_USPS 15
TX_FedEx 5
CO_UPS 5
CO_USPS 9
CO_FedEx 2
MO_UPS 5
MO_USPS 20
MO_FedEx 3
GA_UPS 15
GA_USPS 10
GA_FedEx 5
PA_UPS 9
PA_USPS 21
PA_FedEx 8
NY_UPS 30
NY_USPS 99
NY_FedEx 20

index=main AND "*TRACKING*"
| stats count by shipper

 

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ycho1
Explorer
‎11-24-2021 07:28 AM

It works great.
Thank you for your help.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-23-2021 02:02 PM

This seems pretty straightforward so I must be missing something.  This query will trigger an alert if any shipper has a count greater than 10, provided the alert is set to trigger when there are more than zero results.

index=main AND "*TRACKING*"
| stats count by shipper
| where count > 10
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ycho1
Explorer
‎11-23-2021 02:13 PM

Thank you richgalloway for your input.

However, I need to know the shipper name that becomes above the threshold.

since there a multiple shippers, I need to specify which shipper has greater than the threshold.
your solution "where count > 10" doesn't tell me which shipper name though.
My guess would be I need to assign each shipper value
for example:

| eval TX_UPS_VAL = (count AND where shipper = TX_UPS)
does it make sense?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2021 05:57 AM

Did you TRY the query?

The command | stats count by shipper does indeed specify the shipper name.

The command | where count > 10 merely removes those results with a count less than or equal to ten.

You should end up with something like this:

shipper count
TX_USPS 15
MO_USPS 20
GA_UPS 15
PA_USPS 21
NY_UPS 30
NY_USPS 99
NY_FedEx 20
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

ycho1
Explorer
‎11-24-2021 07:28 AM

It works great.
Thank you for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...