- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Multiple alerts in one query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple alerts in one query
Please help I want the query with below scenario.
Requirement 1:
Check occurence of 0 in 10 mins timeframe.
If continuously 0 in 5 minutes,set some counter at every occurence of 0 continuously and send alert.
When the value > 0,reset counter.
Requirement 2:
Check if specific logs are not updating for sometime send alert.
Requirement 3:
Check the occurence of en event in 10 minutes timeframe and throw alert at some threshold.
In this source file is different.
All these in one query.and alert should specify what is wrong.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FIrst, no. Just No.
That is not ONE alert. At a minimum it is two. Writing that as one alert is going to give you nightmares trying to keep it up to date. Three unrelated conditions to be checked equals three alerts. It is possible that the first two use cases are a single alert, in which case the specifications are wrong for the first one, since it is describing a method, not a business requirement.
Second, your second point is a very standard "what happens when my hosts are not reporting in" kind of problem. There are probably twenty answers up here like the following two...
https://answers.splunk.com/answers/237872/find-hosts-which-are-not-reporting.html
https://answers.splunk.com/answers/406103/how-to-create-a-search-to-find-expected-hosts-that.html
It seems like the first requirement might have been your attempt to think through how to achieve this second requirement. Don't confuse those... the second requirement does not in any way need the first. You can search for other ways to achieve the second, and the first is never going to be the most efficient choice.
Third, the third alert is so general that it's hard to see what issue might exist with how to code it. Here is basic pseudocode for that one...
earliest=-10m@m latest=@m index=foo
your search that finds your events
| stats count as hit_count by some_field
| where hit_count >= whatever threshold you chose
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what? why? when? where?
please give us a little more to work with ...
to your question, probably something like
.... search for data for (requirement 1) OR (requirement 2) OR (requirement 3)
| ... streamstats time_window=5m avg(your_field_that_has_value_for _requirement_1) as avg_req_1 reset_after="0" as "your_counter"
| eval alert = case(avg_req_1=0,req_1,some_condition_for_req_2,req_2,more_conditions_for_req_3,req_#)
| more stuff or table here ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@adonio
It worked.
Thanks.
Is it possible to use reset_after/before for resetting multiple fields (using foreach and streamstats)
Index This | I’m short for "configuration file.” What am I?
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Your Guide to SPL2 at .conf24!
