Alerting

How to trigger an alert when the count of unique values are greater than 10?

geerkenr
Engager

I am very new to Splunk and I am working on building an alert that will trigger when a field has more than 10 unique values.

index=network sourcetype=cisco  | dedup host | stats count by host 

I am having trouble with how to trigger an alert when the number of unique hosts are 10 or greater in a 20 minute period. Any guidance on how I can do this would be great.

Thanks!

0 Karma
1 Solution

kmaron
Motivator
index=network sourcetype=cisco | stats count by host 

Set your alert trigger condition to be Number of Results is greater than 9

And to do 20 minutes you can set your alert to use a cron schedule */20 * * * *
And set the time range to Relative - 20 minutes ago

OR

Change your search to get distinct count of hosts

index=network sourcetype=cisco | stats dc(host) as hosts_count | where hosts_count > 9

and set your alert to look for greater than 0

View solution in original post

pakkineni
Loves-to-Learn

@elliotproebstel could you please suggest what's wrong in this

0 Karma

kmaron
Motivator
index=network sourcetype=cisco | stats count by host 

Set your alert trigger condition to be Number of Results is greater than 9

And to do 20 minutes you can set your alert to use a cron schedule */20 * * * *
And set the time range to Relative - 20 minutes ago

OR

Change your search to get distinct count of hosts

index=network sourcetype=cisco | stats dc(host) as hosts_count | where hosts_count > 9

and set your alert to look for greater than 0

elliotproebstel
Champion

This is close, but I believe the search should be:

index=network sourcetype=cisco
| stats count by host

If you run the search with | stats dc(host), you will always get exactly one result - the distinct count of host values.

Another note for @geerkenr - you don't need to dedup before calling stats, in this instance, since you aren't using the counts for anything. Calling dedup first will just make the search less efficient.

kmaron
Motivator

According to the question he wanted the distinct count of host values: " when the number of unique hosts are 10 or greater "

Maybe I read the question wrong?

0 Karma

elliotproebstel
Champion

No, I read the requirements the same way - but it's a sneaky thing here. If you use |stats dc(host), you will get exactly one result - a count of unique hosts. But then if you set the alert to only trigger if the number of results is greater than 10, you will never alert. Let's say the events returned from

index=network sourcetype=cisco

include 25 unique host values. Then this:

index=network sourcetype=cisco
| stats dc(host)

will return a single result: dc(host)=25. And that won't trigger the alert, because the alert will see a single result. But this:

index=network sourcetype=cisco
| stats count by host

will return 25 results - each result will be a unique host value, followed by a count. And if there are more than 10 results, as desired, the alert will trigger.

There's a way to use your search structure to get the desired result, but it's a little less intuitive in the UI. You'd need to set a custom trigger and do something like dc(host)>=10 (and it would be more straightforward if the stats command were | stats dc(host) AS host_count, and the custom trigger could be host_count>=10, because I'm honestly not 100% sure whether the dc(host)>=10 would require any quotes around the field name.

Anyway, much longer response than you probably wanted, but I thought it would be useful to expand on this.

kmaron
Motivator

Oh duh! Yes! I was trying to solve it two ways and put them into one that doesn't work instead of separating them and explaining. Thank you for correcting that.

0 Karma

elliotproebstel
Champion

Absolutely. 🙂 The rest of the answer was written with great detail. If you revise, I'll upvote it, because it's a useful answer for folks!

0 Karma

kmaron
Motivator

I fixed it and added both options 🙂 thank you!

0 Karma

pakkineni
Loves-to-Learn

index="index_name" | stats count | where count>1000

and trigger condition "number of results" "is greater than 0"

Its not triggering alert in this condition

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...