Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to have multiple custom alert trigger conditions

lucy2019
Explorer
‎02-23-2019 11:57 PM

When I create new alert, I choose Custom Trigger Condition. Is it possible if I write multiple trigger conditions use AND/ OR operator:

search count=0 AND category= something

Where category is from lookup table.

Reply

ragedsparrow
Contributor
‎02-26-2019 01:39 PM

So, one thing that you have to remember is that you need to have the data present in your output for the alert condition to pick it up. E.g. You have to have category in your final table or output.

For this, would you be able to modify your search to look like this?

sourcetype=abcd user=john ation=login 
|eval Date=strftime(now(), "%m/%d/%Y")
|lookup mydates.csv Date OUTPUTNEW category
|search NOT category=holiday
|table category Date
|stats count(action)

and then your alert condition could be:

search count =0

I think the reason that you are not getting anything with your alert condition is since you are doing a stats, the category field is no longer present anymore in the final result, so I would think that you either need to make it available in your final result, or filter it out in your search.

Reply

Sukisen1981
Champion
‎02-24-2019 02:21 AM

it is possible.
If you are able to retrieve trigger condition in a simple run time search, there is no reason why the same search will not work in an alert.
I do suspect however, that you are facing some issues in your search/trigger condition. Can you eleaborate a bit more?

Reply

lucy2019
Explorer
‎02-24-2019 08:18 AM

@Sukisen1981 Thanks for your response! I have a search to get user login activity counts. I need to trigger an alert to send an email if user login count = 0. I run this every hour but would like to exclude weekends and holidays as there will not be login activities anyway. I thought about many ways to do this and come down to this one now:
1. I create holidays.csv file and upload to lookups. The file looks like this:
Data, category
1/1/2019,holiday

  1. My search would be:

    sourcetype=abcd user=john ation=login
    |eval Date=strftime(now(), "%m/%d/%Y")
    |lookup mydates.csv Date OUTPUTNEW category
    |table category Date
    |stats count(action)

  2. In Alert setting, I set cron expression as:

    00 * * * 1-5 (this will exclude all weekends)

  3. In Custom Alert Trigger Condition, I am thinking of setting condition like:

    search count=0 AND NOT category=holiday

However, this did not work as I expected.

0 Karma
Reply

i_vern
Engager
‎11-03-2020 02:07 AM

@lucy2019first, your search request contains typo in "action" field

sourcetype=abcd user=john ation=login

and I'm not sure but the mistake seems to be what you use stats count(action) after table without action field.

Did you check the request in a regular search?

0 Karma
Reply

Sukisen1981
Champion
‎02-24-2019 08:35 AM

what happens if you slightly modify this to search count=0|where category !="holiday"

??

0 Karma
Reply

lucy2019
Explorer
‎02-24-2019 09:10 AM

@Sukisen1981 With or without 'where category ...' clause, the results were the same. Looks like category field output empty string.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...