raise alert after exceeding threshold twice

sarit_s · ‎09-22-2021

Hello, Is there an option to set an alert that will raise only after the search reached the threshold twice ? thanks

gcusello · ‎09-22-2021

you have two way to reach your goal:

create an lert with a search for a double time period and search if the threeshold is passed twice;
craete an alert that writes the notable event in a summary index and then run your alert on this summary index.

using the first method, e.g. if you have a threeshold of 5 events in 5 minutes, you could run every 10 minutes a search like this:

index=your_index earliest=-10m@m latest=@m
| bin span=5m _time
| stats count BY _time
| where count>5
| stats count
| where count>1

using the second method, you have to run every 5 minutes a search like this:

index=your_index earliest=-5m@m latest=@m
| stats count
| where count>5
| collect index=my_alert_summary

that writes notable events in a summary index, then run another search every 10 minutes on this summary index:

index=my_alert_summary earliest=-10m@m latest=@m
| stats count
| where count>1

Ciao.

Giuseppe

Are you a member of the Splunk Community?