raise alert after exceeding threshold twice - Splunk Community

Splunk Search

Hello, Is there an option to set an alert that will raise only after the search reached the threshold twice ? thanks

you have two way to reach your goal:

create an lert with a search for a double time period and search if the threeshold is passed twice;
craete an alert that writes the notable event in a summary index and then run your alert on this summary index.

using the first method, e.g. if you have a threeshold of 5 events in 5 minutes, you could run every 10 minutes a search like this:

index=your_index earliest=-10m@m latest=@m
| bin span=5m _time
| stats count BY _time
| where count>5
| stats count
| where count>1

using the second method, you have to run every 5 minutes a search like this:

index=your_index earliest=-5m@m latest=@m
| stats count
| where count>5
| collect index=my_alert_summary

that writes notable events in a summary index, then run another search every 10 minutes on this summary index:

index=my_alert_summary earliest=-10m@m latest=@m
| stats count
| where count>1

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...