Solved: How to create an alert with the condition "where f...

burwell · ‎06-08-2016

We want to run an alert like this:

1) index=foo condition=bar | stats count as errors | where errors > 0 AND errors < 1000

2) The alert has an action to send to a mailing list.

3) When we click on the alert, the users should see the actual raw events, not the stats count in the Statistics tab.

4) We also run a script

The reason for the > 0 and < 1000 is that we have other alerts for > 1000 and we do different actions.

The problem I can't solve is that when I set things up, when people click on the link in email, they see the statistics tab and don't see the raw events. They have to rerun in Verbose mode to see the raw events.

If it was just > 0, I could eliminate the stats count and say that the condition is > 0 events and then clicking on the link would get us to the raw events.

burwell · ‎06-24-2016

Got the answer.

The trick is to use values of _raw and then use mvexpand to make each event on a separate line. The output is sweet.

index=foo condition=bar | stats values(_raw) AS raw count as errors | where errors > 0 AND errors < 1000 | table errors raw | mvexpand raw

View solution in original post

burwell · ‎06-24-2016

Got the answer.

The trick is to use values of _raw and then use mvexpand to make each event on a separate line. The output is sweet.

index=foo condition=bar | stats values(_raw) AS raw count as errors | where errors > 0 AND errors < 1000 | table errors raw | mvexpand raw

How to create an alert with the condition "where field > n AND field < m" AND show the raw events when clicking on the alert?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life