Alerting

Alarm is not working

hommesf
New Member

Hey,

I've set up an alarm for a search which is very easy:
index=radius radius_login_status="Login OK:"
This gives me quite many results.

Now I've set up the alarm with trigger alarm when the number of results is higher then 5.

The search is executed every 5 min. and the results are between 50 and 2000. But no alarm is fired!

I don't understand why 😕

Thanx
Frank

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Try setting your trigger in SPL rather than in the alert settings

index=radius radius_login_status="Login OK:"
| stats count
| where count>5
0 Karma

hommesf
New Member

Still no alarm 😞

0 Karma

skoelpin
SplunkTrust
SplunkTrust

How are you testing this? How is your alert setup? Are you looking for a count greater than 5 in a specific timespan? What timespan are you looking for?

This works on my end

| makeresults count=6
 | stats count
 | where count>5
 | eval alarm=if(count>5,"ALERT","")
 | fields alarm
0 Karma

hommesf
New Member

The output of this will be ALERT of course.
But I'm trying to set up an alert for the results of a search.
I got around 1000 entries per 5 minutes and the cronjob is running every five minutes. I can check the job out and I will get 1000 results.
But there is no alert although I set the Trigger Conditions to number of results and then is greater than 10.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Your not following the advice I'm giving you here..

You need to setup the alert in SPL then change your alert value to "custom" then fill in count for the value.

0 Karma

hommesf
New Member

I probably don't unterstand.
So you mean in alert settings I should put in the following search:
index=radius radius_login_status="Login OK:"
| stats count
| where count>5

and then on alert value custom search count > 5
This is not working either.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

No. Select "custom" in your alert actions. Then the field below it will be empty. In that empty field, put count

0 Karma

hommesf
New Member

I got the following error when saving:
"Cannot parse alert condition. Search Factory: Unknown search command 'count'."

0 Karma

skoelpin
SplunkTrust
SplunkTrust

My bad, it should look like this

index=radius radius_login_status="Login OK:"
| stats count

Have that empty field under "custom" as search count>5

0 Karma

hommesf
New Member

I had this for some time but didn't work
Tried it again but no alarm.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Works on mine.. Not sure anyone will be able to help you with such little information

0 Karma

hommesf
New Member

I'm willing to give more information but I don't know what more... Setting up an alarm should be quite easy there is not much you can do wrong... When I check the results I DO get like 1000 and when I set the trigger to fire when there are more then 10 results it's no rocket science...
I'm confused...

0 Karma

skoelpin
SplunkTrust
SplunkTrust

It's very easy to setup alerts in Splunk.

My second comment from the top asks about the time range. If your timespan is not returning results than it will not alert. What is your timerange your searching over? Can you post pictures showing that timerange with no results being returned?

0 Karma

hommesf
New Member

Splunk
It should fire when there are more then x results. At the moment I'm testing with 10 results. As you can see the search give about 500 results atm.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...