Reporting

email alert condition

jvmerilla
Path Finder

Hi,
I have an email alert that will send a table with a field Status.
Now, I need to send this email every hour starting from 8am, until all values of Status is equal to 100%.
If all Status is equals to 100% it should stop sending email.

Is this possible to do in email alert?

Thanks in advance!

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@jvmerilla,
Yes, schedule it for every hour and add a condition to the search or alert where Status<=100 . In this case, when status is 100 , then the alert won't be triggered.

Happy Splunking!
0 Karma

jvmerilla
Path Finder

Hi @renjith.nair,

Would it work if I have for example 10 events.
For example by 8am, only 2 the events have Status=100%, so it will send alert containing all the events, including the Status=100% and Status!=100%.
But when every event has Status=100%, is should stop sending email.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@jvmerilla,
Yes , we can do it by adding this to your search (remove the previous where Status<100)

"your search to get all the events with Status"|eventstats count(eval(if(Status=100,1,null()))) as count_by_status,count as total|where count_by_status!=total|fields Status

Below is a run anywhere example. Try it by changing the values of Status (100,90,80)

|makeresults|eval Status="100,90,80"|makemv Status delim=","|mvexpand Status
|eventstats count(eval(if(Status=100,1,null()))) as count_by_status,count as total|where count_by_status!=total|fields Status
Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...