Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Configure an alert based on the number of results as warning, high, critical in same alert

chandrasekharko
Path Finder
‎06-22-2017 11:53 AM

I want to configure an alert with different thresholds as in

Warning - count > 5
High - count > 10
Critical - Count > 15

If there are 10 results in the count then I need to get an alert saying it is critical not the the warning and high.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-22-2017 12:22 PM

Add this to the end of your search:

| eval criticality=case((count>15), "Critical", (count>10), "High", (count>5), "Warning", true(), "N/A")

Then in your email you can use $result.criticality$ in your subject line and count>5 for your threshold.

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-22-2017 12:31 PM

You want to set Severity based on count OR will a Text in subject line with Severity is ok?

0 Karma
Reply
Solved! Jump to solution

chandrasekharko
Path Finder
‎06-22-2017 12:46 PM

Based on count

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-22-2017 12:22 PM

Add this to the end of your search:

| eval criticality=case((count>15), "Critical", (count>10), "High", (count>5), "Warning", true(), "N/A")

Then in your email you can use $result.criticality$ in your subject line and count>5 for your threshold.

Reply
Solved! Jump to solution

chandrasekharko
Path Finder
‎06-22-2017 12:45 PM

What does N/A means here?
The subject looks like this:
Working On it N/A
It should say Working On it Critical as the results are around 20

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-22-2017 12:50 PM

You used both count and Count; make sure that the search is correct and that it generates the correct value for criticality based on Count/count and then it should work.

0 Karma
Reply
Solved! Jump to solution

chandrasekharko
Path Finder
‎06-22-2017 12:59 PM

This is how my query looks like after the search:

|eval time=strftime(_time, "%m/%d/%y %I:%M:%S:%p") | table time,host,c_ip,cs_uri_stem,s_ip,s_port,sc_status,sc_substatus,time_taken | eval criticality=case((count>15), "Critical", (count>10), "High", (count>5), "Warning", true(), "N/A")

Am I doing anything wrong here?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-22-2017 01:13 PM

You have not calculated a count field! Maybe something like this:

|eval time=strftime(_time, "%m/%d/%y %I:%M:%S:%p")
| stats count BY host c_ip cs_uri_stem s_ip s_port sc_status sc_substatus time_taken
| eval criticality=case((count>15), "Critical", (count>10), "High", (count>5), "Warning", true(), "N/A")
0 Karma
Reply
Solved! Jump to solution

chandrasekharko
Path Finder
‎06-22-2017 01:27 PM

Sorry for keep bugging you on this. The criticality still showing me as N/A

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-23-2017 02:03 AM

What I wrote ABSOLUTELY works. We are going to have to stop playing the "this isn't really my search" game and you'll have to post your real search if you need to get it right. For example, in your fragment you are calculating time but not using it....

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...