Is there a way in splunk to alert on number of alerts ?
For example I want create an alert which attempts to search 6 login into a server. Assuming this runs every 1 min (thats arbitrary number) and fires an alert called Alert-A. I want to fire an alert B if 5 Alert-A have triggered in last 5 mins.
I am not looking for solution where in you want to suggest, "why not create a search and alert if 6*5 login attempts have been made on server.
My question is specific to triggering an alert on other alert.
Hi, you should be able to pull up fired alerts from REST a call and schedule a search on it and trigger an alert on alerts. eg:
|rest /services/alerts/fired_alerts/name|search|where triggered_alert_count > 5| table id triggered_alert_count
Hi, you should be able to pull up fired alerts from REST a call and schedule a search on it and trigger an alert on alerts. eg:
|rest /services/alerts/fired_alerts/name|search|where triggered_alert_count > 5| table id triggered_alert_count
This might be a bit old thread, but I would be very thankful if you could explain the SPL expression in a bit non-technical fashion for a new user like me. Specifically, what its different parts are doing. Many thanks
Perfect this is what I was looking for !! Thanks a bunch there !!!
Exactly what I was after 🙂