Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I trigger alert if there are extracts where TOTAL_PIECES >0 and RETRIEVAL_ATTEMPT= 10?

majilan1
Path Finder
‎08-01-2022 01:03 PM

Hi,

I want the alert to trigger if there are extracts where TOTAL_PIECES >0 and RETRIEVAL_ATTEMPT= 10

Is there anybody can help with this please?

My search is,

index=A source=B sourcetype=c

| fillnull value=0 TOTAL_PIECES  RETRIEVAL_ATTEMPT

| where RETRIEVAL_ATTEMPT= 10

| rename "SASP_CTRL_SEQ_NBR" as "Extract_Seq_ID" ,"IV_STS" as "IV_Status", "RETRIEVAL_ATTEMPT" as "Retrieval_Attempt","PSTG_STMT_N" as "Pos_St","TOTAL_PIECES" as "Piece_Count"

| table "Extract_Seq_ID","IV_Status","Retrieval_Attempt","Pos_St","Piece_Count"

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎08-02-2022 12:29 AM

Hi

Just like @gcusello said. Use Save As after you have run your SPL query ( add  "AND TOTAL_PIECES > 0" to your where line). Then add Trigger Conditions when there are more than 0 results.

r. Ismo

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-01-2022 11:44 PM

Hi @majilan1,

if your search is correctly running, you have only to save it ("Save As")with the scheduling you need, what's the problem?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎08-02-2022 12:29 AM

Hi

Just like @gcusello said. Use Save As after you have run your SPL query ( add  "AND TOTAL_PIECES > 0" to your where line). Then add Trigger Conditions when there are more than 0 results.

r. Ismo

0 Karma
Reply
Solved! Jump to solution

majilan1
Path Finder
‎08-02-2022 06:48 AM

Thanks! It works, I forgot to add the second part of the condition: TOTAL_PIECES > 0.

0 Karma
Reply
Solved! Jump to solution

majilan1
Path Finder
‎08-02-2022 05:09 AM

Alert should trigger if:

 There are any extracts where TOTAL_PIECES is >0 and the RETRIEVAL_ATTEMPT is = 10.

I added AND TOTAL_PIECES > 0, but I'm not getting no result. The thing  is when I move that TOTAL_PIECES is >0  I get some data, but I need to trigger based on the condition above.

Thanks

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-02-2022 06:49 AM

Hi @majilan1.

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

majilan1
Path Finder
‎08-02-2022 06:56 AM

Thanks, you guys have been a great helping solve these problems.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...