I have got the following parameter defined within Splunk report which works perfectly well for temperature detection !
index=main sourcetype="temperature" | head 10 | rex "UPS2 Cool: (?
I want to create an alert that will send am email when the cool temperature on Splunk gets above 30 degrees
Do anyone have an idea how to set this up?
You will need to add a condition to the end of your current search. Add the following and test that it only shows the values above 30.
yoursearch | rename avg(COOL) AS avgcool|search avgcool>30
-or-
yoursearch | rename avg(COOL) AS avgcool|where avgcool>30
Once you have run that search and verified the results. You can do this from the flashtimeline (where you will be probably testing this command), by selecting "Create" dropdown button (on the right-hand side of your view by default) and then "Alert". This will show a pop-up containing you search. You should then follow the setup selecting your time period and alert method (Alert Docs:HERE and HERE)
You will also need to configure you email settings, which can be done through the Manager and then "System Settings" (Email Docs: HERE)
Hope this helps,
Regards,
MHibbin
EDIT: Modified the searches above
Hi when I this the command it worked
I got this result
4/27/12
11:07:00.000 AM
UPS1 Warm: 28 UPS2 Cool: 30
this is the likely pattern I am looking for,but How can I filter this to only display UPS2 Cool: 30 as the final result without the UPS1 Warm: 28 ?
OK in that case, you would probably need to do something like..
index=main sourcetype="temperature" | rex "UPS2 Cool: (?
Sorry I miss one of your questions, I want to be alerted when the cool temperature is >29 but I do not want it to do the stats avg(CooL) before given the result.
Thanks for this information I am even wondering if I can make it simple in this format index="main" sourcetype="temperature" "30"
but I ran into problem with the evaluation part of it I just want to say where cool>29 than it would not have to pick the warm. I am thinking using the stat part of this could cause some time delay please what do you think.
As these are two different values I would think it might be better to have two searches... i.e. one for "cool" and one for "warm", then you could have devices for example and have temperature by device... e.g.
index=main sourcetype="temperature" | rex "UPS1 Warm: (?
and then another for avgcool, for a lower temperature.
So you wish to be alerted when the "cool" temperature is above 19 OR "warm" is above 29? If so...
index=main sourcetype="temperature" | rex "UPS1 Warm: (?
Let me know if this is what you meant?
Thanks very much! - The main reason I mentioned this, is so the community can both judge how useful the answer was, and whether a question still requires input.
OK, I've played around with some of my data, not exactly the same...
I want to give you 100 point but to my surprise the points slid bar stops at 51.
I clicked on the acceptable and it says the question already has an acceptable answear.
The steps you've stated above worked. the additional question I was asking you is could one also do it this way using this parameter:
index=main sourcetype="temperature" | rex "UPS1 Warm: (?
?
I am happy your step above worked.
I guess I can use the parameter that works since they both using the same sourcetype I should still get the same results and I just need to set mine threshold to >29 since I want my alert when it hits 30 degrees
index=main sourcetype="temperature" | head 10 | rex "UPS2 Cool: (?
I hope this is useful to others out there. not if its useful also my temperature data came from cacti.
Thanks very much MHibbin for the tip. I should not have a problem setting this up in a real time I guess.
I have now combined the temperature threshold parameters
index=main sourcetype="temperature" | rex "UPS1 Warm: (?
Is it possible to use the your steps above as I tried it as stated below but failed.
index=main sourcetype="temperature" | rex "UPS1 Warm: (?
OK, does that mean this question has been resolved? - Or is there something else that needs sorting (my reading of this, is that you have it working).
If it has answered your question, and there are no more questions, can you mark the answer as accepted. Thanks 🙂
so I went back to your steps and reduced the temperature threshold at which I expect an alert to be send to 19
index=main sourcetype="temperature" | head 10 | rex "UPS2 Cool: (?
and I got a result 20.0000
I tried both steps above, and I got a better result as it was showing 10 matching events with the linear bar graph.but in the result field I got "0 result in the last 30 days "from 12:00:00 AM March 14 to 11:55:32 AM April 13, 2012" I decided to check the threshold of my warm and cool temperature by doing the following:
ndex=main sourcetype="temperature" | head 10 | rex "UPS2 Cool: (?
index=main sourcetype="temperature" | head 10 | rex "UPS1 Warm: (?
mine stats avg(COOL) temp is 20.0000
mine stats avg(WARM) temp is 28.0000
note that I used added the rename command and changed the final function.
OK sorry I just checked, apparently Splunk doesn't like the "()" in the search... try this...
index=main sourcetype="temperature" | head 10 | rex "UPS2 Cool: (?
-OR-
index=main sourcetype="temperature" | head 10 | rex "UPS2 Cool: (?
shows the following error
"Error in 'where' command: The 'avg' function is unsupported or undefined.
is there any thing I am doing wrong in terms of the parameter I am passing?
I have now tried to test the above conditions as follows
index=main sourcetype="temperature" | head 10 | rex "UPS2 Cool: (?
and it generated the following errors.
"Error in 'search' command: Unable to parse the search comparator '>' has an invalid term on the left hand side".
and
index=main sourcetype="temperature" | head 10 | rex "UPS2 Cool: (?