Solved: email alert for time period that contains multiple...

scr4tchfury · ‎10-08-2013

I want to send an email alert only when the last X minutes of a log contains "net1 down", "net2 down", "net3 down", and "net4 down". The messages are on different lines. How can I do this with the Splunk search app? Right now I have it send me an alert with results for "net* down" and eyeball it to make sure not all 4 are there.

lukejadamec · ‎10-08-2013

Schedule a search to run every 15 minutes

Set the alert to trigger if the result count is greater than 3

index=yourindex sourcetype=yoursourcetype  yourfield="*net1 down*" OR  yourfield="*net2 down*" OR  yourfield="*net3 down*" OR  yourfield="*net4 down*"  | dedup yourfield

View solution in original post

lukejadamec · ‎10-08-2013

Schedule a search to run every 15 minutes

Set the alert to trigger if the result count is greater than 3

index=yourindex sourcetype=yoursourcetype  yourfield="*net1 down*" OR  yourfield="*net2 down*" OR  yourfield="*net3 down*" OR  yourfield="*net4 down*"  | dedup yourfield

lukejadamec · ‎10-08-2013

What is the field name that includes netxdown?

scr4tchfury · ‎10-08-2013

They are 4 different events.

lukejadamec · ‎10-08-2013

Are these different lines of the same event, or 4 different events?

email alert for time period that contains multiple items

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases