Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alerts setup with required values

Splunk_rocks
Path Finder
‎04-28-2019 01:47 PM

I have following fields in my splunk radioStatus,bitChange,DeviceChange,Temp,Humidity.
index=test | table
radioStatus: Running or Down
bit Change: 0=Closed & 1=Open
deviceChange 0=Normal or 1=Moved
Temp: 90 degrees or below= Normal Above 90 degrees = Abnormal --( regular values in between 1-90)
Humidity: 0-80% = Normal, Above 80%= Abnormal ( regular values in between 1-80)

Case 1)create alert if Radio status down and with respective to "Temp" change is above 90
Case 2)create a alert if Radio status running "Humidity" Above 80%= Abnormal
Case 3)create a alert if "Temp"changes Above 90 degrees = Abnormal for radios
Case 4) Create a alet if "Device" change 1=Moved with "Temp" Above 90 degrees = Abnormal

0 Karma
Reply

woodcock
Esteemed Legend
‎04-29-2019 11:06 PM

Like this:

... | multireport
[ where radio_status="down" | stats dc(radioId) AS radiosDown BY area | where radiosDown >= 2 | eval severity = "Critical" ]
[ where radio_status="down" OR Temp > 90 | eval severity = "Major" ]
[ streamstats  time_window=12h count(eval(Humidity<=80)) AS OK BY radioId | where OK = 0 | eval severity = "Minor" ]
0 Karma
Reply

vishaltaneja070
Motivator
‎04-29-2019 12:32 AM

Hello @Splunk_rocks

You can use the below conditions:

1. index=test radioStatus= Down Temp > 90
2. index=test radioStatus= Running Humidity> 80
3. index=test Humidity>80 Temp> 90
4. index=test deviceChange = 1 Temp > 90

you can schedule the alert 30 sec or 1 min window and alert will be triggered if it find any event.

0 Karma
Reply

Splunk_rocks
Path Finder
‎04-29-2019 06:17 AM

Thank you Those are simple i can but those are not works for me im looking where and if clause to add
like

1)2 or more Radio status down with in same area ( area field) or same region( region) send alert - critical
2) If only one Radio is down with in same me area ( area field) or same region( region) send alert -Major
3) if Temp> 90 - major
4) If Humidity "0-80" normal operation no alarm
5) If Humidity ">80" over 12 hours time- alert with minor

0 Karma
Reply

woodcock
Esteemed Legend
‎04-29-2019 12:20 AM

Show us a sample of your events. Yes, it matters VERY much.

0 Karma
Reply

Splunk_rocks
Path Finder
‎04-29-2019 07:02 AM

Thanks,

here is sample event in _jason format in splunk

"radioId”: “00001",
“timestamp”: “Sat Dec 15 13:19:36 2018",
“deviceChange”: “0",
“Bitchanges”: “1",
“Temp”: “59.17 C”,
“Humidity”: ” 7.92",
“uname”: “Linux ESC_A10 4.14.0 #720 SMP Tue Dec 11 20:35:41 UTC 2018 GNU/Linux”,
“radio_status”: “running”,
“timestamp_cloud”: 187781}}'
we have automatic lookup file with location region state etc with mapped with radioid.

I need to construct below one
1)2 or more Radio status down with in same area ( area field) or same region( region) send alert - critical
2) If only one Radio is down with in same me area ( area field) or same region( region) send alert -Major
3) if Temp> 90 - major
4) If Humidity "0-80" normal operation no alarm
5) If Humidity ">80" over 12 hours time- alert with minor

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...