- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Alerts setup with required values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alerts setup with required values
I have following fields in my splunk radioStatus,bitChange,DeviceChange,Temp,Humidity.
index=test | table
radioStatus: Running or Down
bit Change: 0=Closed & 1=Open
deviceChange 0=Normal or 1=Moved
Temp: 90 degrees or below= Normal Above 90 degrees = Abnormal --( regular values in between 1-90)
Humidity: 0-80% = Normal, Above 80%= Abnormal ( regular values in between 1-80)
Case 1)create alert if Radio status down and with respective to "Temp" change is above 90
Case 2)create a alert if Radio status running "Humidity" Above 80%= Abnormal
Case 3)create a alert if "Temp"changes Above 90 degrees = Abnormal for radios
Case 4) Create a alet if "Device" change 1=Moved with "Temp" Above 90 degrees = Abnormal
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
... | multireport
[ where radio_status="down" | stats dc(radioId) AS radiosDown BY area | where radiosDown >= 2 | eval severity = "Critical" ]
[ where radio_status="down" OR Temp > 90 | eval severity = "Major" ]
[ streamstats time_window=12h count(eval(Humidity<=80)) AS OK BY radioId | where OK = 0 | eval severity = "Minor" ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Splunk_rocks
You can use the below conditions:
1. index=test radioStatus= Down Temp > 90
2. index=test radioStatus= Running Humidity> 80
3. index=test Humidity>80 Temp> 90
4. index=test deviceChange = 1 Temp > 90
you can schedule the alert 30 sec or 1 min window and alert will be triggered if it find any event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Those are simple i can but those are not works for me im looking where and if clause to add
like
1)2 or more Radio status down with in same area ( area field) or same region( region) send alert - critical
2) If only one Radio is down with in same me area ( area field) or same region( region) send alert -Major
3) if Temp> 90 - major
4) If Humidity "0-80" normal operation no alarm
5) If Humidity ">80" over 12 hours time- alert with minor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Show us a sample of your events. Yes, it matters VERY much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks,
here is sample event in _jason format in splunk
"radioId”: “00001",
“timestamp”: “Sat Dec 15 13:19:36 2018",
“deviceChange”: “0",
“Bitchanges”: “1",
“Temp”: “59.17 C”,
“Humidity”: ” 7.92",
“uname”: “Linux ESC_A10 4.14.0 #720 SMP Tue Dec 11 20:35:41 UTC 2018 GNU/Linux”,
“radio_status”: “running”,
“timestamp_cloud”: 187781}}'
we have automatic lookup file with location region state etc with mapped with radioid.
I need to construct below one
1)2 or more Radio status down with in same area ( area field) or same region( region) send alert - critical
2) If only one Radio is down with in same me area ( area field) or same region( region) send alert -Major
3) if Temp> 90 - major
4) If Humidity "0-80" normal operation no alarm
5) If Humidity ">80" over 12 hours time- alert with minor
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
