Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to trigger an alert if 3 consecutive search results reach a certain threshold?

snehalk
Communicator
‎08-11-2015 05:11 AM

Hello All,

I have one requirement where an alert needs to be triggered after three continuous search results reach a certain threshold.

Eg: am pulling table from an Oracle database which has two columns: one is time and other is reportnumber. The requirement is, if the reportnumber increases above 45 continuously, then the alert needs to be triggered (Note: data is pulling from database every 5 min)

Below is the search I'm using currently, but it's not working as expected.

index=myindex sourectype=mydata | where reportnumber>45

Note: Alert frequency is every 15 min

Can any one help me on this ?

Thanks in advance

0 Karma
Reply

woodcock
Esteemed Legend
‎08-11-2015 08:09 AM

Use this search every 5 minutes as an Alert with timeframes from -15m@m to now:

index=myindex sourectype=mydata | timechart span=5m max(reportnumber) AS reportnumber | where reportnumber>45 | stats count AS HowManyOfLastThreeAreGreaterThan45

Then set the trigger to a Custom Condition of HowManyOfLastThreeAreGreaterThan45>=3

Reply

snehalk
Communicator
‎08-11-2015 09:47 AM

Hello woodcock,

Thanks for reply, when i configure above search and while creating alert am getting below error

Cannot parse alert condition. Unknown search command HowManyOfLastThreeAreGreaterThan45

Please let me know where am going wrong

0 Karma
Reply

woodcock
Esteemed Legend
‎08-11-2015 11:13 AM

Oops, change it to where HowManyOfLastThreeAreGreaterThan45>=3.

0 Karma
Reply

snehalk
Communicator
‎08-12-2015 05:35 AM

Hello woodcock,

Thanks for reply, will try this and test the alert.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-11-2015 05:47 AM

Yes, put in your search, then go to 'Save As'>Alert

Give it a title, description, Alert type should be 'Scheduled', time range should be 'Run on a CRON Schedule'

Earliest = -15m@m
Latest = @m
Cron Expression = * * * * *
Trigger if number of results 'is greater than 45'

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...