Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

complex stats to trigger on count of events

dm2
Explorer
‎02-28-2024 03:56 AM

I have this rule, I need it to trigger when results / count of events is greater than 4 but the "Trigger Condition" did not work.
Is there something I can add to the query ? 

dm2_0-1709121026938.png

dm2_1-1709121061997.png

 

Labels (1)
Labels
0 Karma
Reply

dm2
Explorer
‎02-28-2024 05:42 AM

I saying that the rule needs to trigger when events > 4, and the 'Trigger Condition' did not work.

This is the rule that triggered (triggered on one event):

dm2_0-1709127715520.png

 

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎02-28-2024 06:39 AM

ok something is not clear. 

the trigger condition is results count greater than 4, then trigger/run the trigger conditions. 

1) do you say that when the results are greater than 4, but still the trigger did not work. 

2) on your latest reply, you got only one result, but the trigger condition ran successfully ya?

Can you pls attach the trigger conditions screenshot pls. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-28-2024 03:59 AM

Hi @dm2,

please, share your search in text mode, otherwise it's more difficoult to help you.

You can insert the text using the "Insert/Edit code sample" button.

Ciao.

Giuseppe

0 Karma
Reply

dm2
Explorer
‎02-28-2024 04:17 AM 
| stats count dc("File Name") as "File Name Count" first(_time) as _time, values(host) as host, values("File Type") as "File Type", values(Policy) as Policy, values(SHA256) as SHA256, values("Block Reason") as "Block Reason", values(Blocked) as Blocked by "File Name"
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎02-28-2024 05:32 AM

Hi @dm2 .. the SPL looks good and working fine also(as per the image). 

the trigger condition says the result greater than 4 and the image shows result 1. so the trigger condition was not triggered. 

are you saying that, when the result is greater than 4 also the trigger condition not triggering?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...