Splunk Search

Multiple alerts in one query

sahil237888
Path Finder

Please help I want the query with below scenario.

Requirement 1:
Check occurence of 0 in 10 mins timeframe.
If continuously 0 in 5 minutes,set some counter at every occurence of 0 continuously and send alert.
When the value > 0,reset counter.

Requirement 2:
Check if specific logs are not updating for sometime send alert.
Requirement 3:
Check the occurence of en event in 10 minutes timeframe and throw alert at some threshold.
In this source file is different.


All these in one query.and alert should specify what is wrong.

Tags (1)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

FIrst, no. Just No.

That is not ONE alert. At a minimum it is two. Writing that as one alert is going to give you nightmares trying to keep it up to date. Three unrelated conditions to be checked equals three alerts. It is possible that the first two use cases are a single alert, in which case the specifications are wrong for the first one, since it is describing a method, not a business requirement.


Second, your second point is a very standard "what happens when my hosts are not reporting in" kind of problem. There are probably twenty answers up here like the following two...

https://answers.splunk.com/answers/237872/find-hosts-which-are-not-reporting.html
https://answers.splunk.com/answers/406103/how-to-create-a-search-to-find-expected-hosts-that.html

It seems like the first requirement might have been your attempt to think through how to achieve this second requirement. Don't confuse those... the second requirement does not in any way need the first. You can search for other ways to achieve the second, and the first is never going to be the most efficient choice.


Third, the third alert is so general that it's hard to see what issue might exist with how to code it. Here is basic pseudocode for that one...

  earliest=-10m@m latest=@m index=foo
  your search that finds your events
 | stats count as hit_count by some_field
 | where hit_count >= whatever threshold you chose
0 Karma

adonio
Ultra Champion

what? why? when? where?
please give us a little more to work with ...

to your question, probably something like 
 .... search for data for (requirement 1) OR (requirement 2) OR (requirement 3) 
| ... streamstats time_window=5m avg(your_field_that_has_value_for _requirement_1) as avg_req_1 reset_after="0" as "your_counter"
| eval alert = case(avg_req_1=0,req_1,some_condition_for_req_2,req_2,more_conditions_for_req_3,req_#)
| more stuff or table here ...

sahil237888
Path Finder

@adonio

It worked.
Thanks.
Is it possible to use reset_after/before for resetting multiple fields (using foreach and streamstats)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...