cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
bitnoise
Explorer
Member since: ‎08-18-2020
‎10-25-2023
Community Statistics
Posts 9
Solutions 0
Karma Given 4
Karma Received 1
Member Since ‎2020-08-18
Activity Feed
View All

Re: Reuse search query, but conditionally

by in Splunk Search
‎10-25-2023 12:18 AM
1 Karma
‎10-25-2023 12:18 AM
1 Karma
I was fighting with the query, as it kept on giving me results, but seems I overlooked the fact that the "off" trigger happend twice and the other only once 🙂    Great! Thanks a lot ... View more

Re: Reuse search query, but conditionally

by in Splunk Search
‎10-24-2023 05:51 AM
‎10-24-2023 05:51 AM
Cool, never saw that streamstats thingy, I'll test it and let you know 🙂 ... View more

Reuse search query, but conditionally

by in Splunk Search
‎10-24-2023 02:43 AM
‎10-24-2023 02:43 AM
Hi, I have a 'complex' (for me at least) question.  What I want to achieve is the following: 1)  index=abc msg="*firewall off*" |table _time,hostname,msg >this will give me, for example: hostname = machine1 msg = "the firewall has been turned off" >> I want to be triggered if someone turns off the firewall Now, the actual issue I have now is the following:  A few seconds before this event, I might get a "system update event" that updates the firewall (agent update), which is OK, and I do NOT want this event. I would need to combine both queries into 1 alert.   2)  index=abc hostname=machine1 NOT msg="*system updated*" I want to see the result of 1, but only if it was not preceeded by 2. I hope this makes sense. ... View more
Labels

Re: Trigger alert on multiple events

by in Alerting
‎08-21-2020 03:58 AM
‎08-21-2020 03:58 AM
Don't I feel stupid now... 🙂 this one works as should now, I just had to adapt my alert trigger to a custom trigger where I also do: where count1 < xxxx AND count2 < xxxx Thanks a lot for the great assistance! Danny ... View more

Re: Trigger alert on multiple events

by in Alerting
‎08-21-2020 01:20 AM
‎08-21-2020 01:20 AM
  Strange things happening when I do this with the 'where'. If I remove the 'where', it shows this: (ps, I just did |table email@domain.com)   ... View more

Re: Trigger alert on multiple events

by in Alerting
‎08-20-2020 04:27 AM
‎08-20-2020 04:27 AM
Woohoo! (ignore the high numbers, had to make sure the event happens 😉 ) Thu Aug 20 13:00:00 2020 417 Thu Aug 20 13:05:00 2020 618 Thu Aug 20 13:05:00 2020 618 Thu Aug 20 13:10:00 2020 525 Final config (for others): SEARCH | timechart span=300s count by sender| where isnull(count) OR count < 1000 SEARCH Advanced: -10m@m > @m Alert Timerange: -10m@m > @m Cron: */5 * * * * The only thing I don't know is how to retrieve the 'count' from both results. Can I do something like TOTAL MAILS in 5 min: [$result.count$][0] and TOTAL MAILS in 5 min: [$result.count$][1] to retrieve both counts? Currently I do this: TOTAL MAILS in 5 min: [$result.count$] Thanks ... View more

Re: Trigger alert on multiple events

by in Alerting
‎08-19-2020 11:50 PM
‎08-19-2020 11:50 PM
Hi Ralph, I adjusted a test trigger yesterday and let it run all night.  Some strange behavior still, but I'll try to finetune it and come back with the result. Currently I did this: SEARCH: xxx | timechart span=11m count by sender| where isnull(count) OR count < 400 CRON: */5 * * * * TIME RANGE: Last 301 seconds TRIGGER: n° of results is greater than 1; once I have the impression the results are not really consistent due to the 11m. Mail1: Thu Aug 20 05:32:00 2020 151 Thu Aug 20 05:43:00 2020 128 Mail 2: Thu Aug 20 05:43:00 2020 214 Thu Aug 20 05:54:00 2020 54 ... View more

Re: Trigger alert on multiple events

by in Alerting
‎08-19-2020 08:14 AM
‎08-19-2020 08:14 AM
Hi Ralph, sorry, I'll try to be more clear. Currently I trigger a mail when 'sender count' < 100 in 5 minutes.  Now, this "event" should happen twice in a row. (So 10:00 and 10:05 and then he should send the mail). So, the option 2 in your question:  every 5 mins, 2 times in a row = alert mail. Thanks ... View more

How to trigger email alert on multiple events at d...

by in Alerting
‎08-18-2020 11:49 PM
‎08-18-2020 11:49 PM
Hello, I have seen the question pass multiple times already, so I have searched it already, but  I was unable to find a query for my specific situation. So, my query ends with: |stats count by sender| where isnull(count) OR count < 100 I had my alert set up that if it occurs, that I get a mail.  The goal is here that this above event must happen twice in a timeframe of 5 minutes before he should send the mail. Can anyone please assist me with this? Thanks Danny ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎10-25-2023 12:25 AM
Karma from
View All
Karma given to
View All