Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

complex stats to trigger on count of events

dm2
Explorer
‎02-28-2024 03:56 AM

I have this rule, I need it to trigger when results / count of events is greater than 4 but the "Trigger Condition" did not work.
Is there something I can add to the query ? 

dm2_0-1709121026938.png

dm2_1-1709121061997.png

 

Labels (1)
Labels
0 Karma
Reply

dm2
Explorer
‎02-28-2024 05:42 AM

I saying that the rule needs to trigger when events > 4, and the 'Trigger Condition' did not work.

This is the rule that triggered (triggered on one event):

dm2_0-1709127715520.png

 

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎02-28-2024 06:39 AM

ok something is not clear. 

the trigger condition is results count greater than 4, then trigger/run the trigger conditions. 

1) do you say that when the results are greater than 4, but still the trigger did not work. 

2) on your latest reply, you got only one result, but the trigger condition ran successfully ya?

Can you pls attach the trigger conditions screenshot pls. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-28-2024 03:59 AM

Hi @dm2,

please, share your search in text mode, otherwise it's more difficoult to help you.

You can insert the text using the "Insert/Edit code sample" button.

Ciao.

Giuseppe

0 Karma
Reply

dm2
Explorer
‎02-28-2024 04:17 AM 
| stats count dc("File Name") as "File Name Count" first(_time) as _time, values(host) as host, values("File Type") as "File Type", values(Policy) as Policy, values(SHA256) as SHA256, values("Block Reason") as "Block Reason", values(Blocked) as Blocked by "File Name"
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎02-28-2024 05:32 AM

Hi @dm2 .. the SPL looks good and working fine also(as per the image). 

the trigger condition says the result greater than 4 and the image shows result 1. so the trigger condition was not triggered. 

are you saying that, when the result is greater than 4 also the trigger condition not triggering?

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...