Hi,
Is there a way to have this search do following: get me all sources that related to windows (win*) - then calculate the total, if the total is greater than 10kbps - send alert. I also want the search to create a stacked report
My search string is this:
index="_internal" (source=/metrics.log OR source=\metrics.log) group="per_sourcetype_thruput" series=win* | timechart span="10m" per_second(kb) by series | addtotals fieldname=Total label=all
the custom search condtion is
Where Total>10
I ran this task as scheduled and I'm getting all the results, not just the ones above 10k. If I run this in the search box I get the correct results:
index="_internal" (source=/metrics.log OR source=\metrics.log) group="per_sourcetype_thruput" series=win* | timechart span="10m" per_second(kb) by series | addtotals fieldname=Total label=all | where Total>10
but I don't know how to implement it using saved searches, and have it triggered if I actually have some results (splunk lets me trigger it if I get a certain number of events, not "results")
thanks
You should be able to use your second search, and simply use the following following in the Alert Conditions section:
perform actions: "if number of events"
"is greater than"
"0"
In this case number of "events" means number of results.
You should be able to use your second search, and simply use the following following in the Alert Conditions section:
perform actions: "if number of events"
"is greater than"
"0"
In this case number of "events" means number of results.
Great, didn't know you could do that, will give it a try.