- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- custom alert condtion for search query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
custom alert condtion for search query
sourcetype="access_combined_wcookie" uri_path="/en/US/*" OR uri_path="/web/fw/*" OR uri_path="/assets/*" dc="ALLN"
| chart count(uri_path) as Allen_hits
| join allen_id [ search
host="cdcxweb-prod*" sourcetype="access_combined_wcookie" uri_path="/en/US/*" OR uri_path="/web/fw/*"
OR uri_path="/assets/*" dc="RCDN"
| chart count(uri_path) as Rcdn_hits ]
| join total_id [ search
host="cdcxweb-prod*" sourcetype="access_combined_wcookie" uri_path="/en/US/*" OR uri_path="/web/fw/*"
OR uri_path="/assets/*"
| chart count(uri_path) as Total_hits ]
| eval AllenPercentage=(Allen_hits/Total_hits)*100
| eval RcdnPercentage=(Rcdn_hits/Total_hits)*100
| eval SLA_STATUS=case(RcdnPercentage>80 AND AllenPercentage<20,1234)
| table Allen_hits Rcdn_hits Total_hits AllenPercentage RcdnPercentage SLA_STATUS
I have created custom alert condition as below, but still am not getting alert and email.
search SLA_STATUS = 1234
pls help me on this one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the original searches, you join the results of the second search to the first search using allen_id. For the following join, you use total_id.
But I can't see how these joins could possibly work, as the second and third searches do not return fields named allen_id or total_id.
Also, your two subsearches are running over All Time - not just the search range that you chose for the outer search. Did you intend to do that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for your help. I did individual searches and getting results as expected and also entire search return the o/p as follow.
Allen_hits Rcdn_hits Total_hits AllenPercentage RcdnPercentage SLA_STATUS
0 416326 473875 0 87.855658 1234
as you suggested ,
I ran the below search query and getting only Allen and Rcdn vlaues and not getting OTH_cdcxweb values
sourcetype="access_combined_wcookie"
(uri_path="/en/US/" OR uri_path="/web/fw/" OR uri_path="/assets/")
(dc="ALLN" OR host="cdcxweb-prod")
| eval series=case(dc=="ALLN","Allen",
dc=="RCDN" AND host="cdcxweb-prod*","Rcdn",
host=="cdcxweb-prod*","OTH_cdcxweb".
1==1,"Unknown")
| where series!="Unknown"
| chart count by series
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First - do the individual searches (run separately) return any results?
Second - does the entire search return an SLA_STATUS=1234?
Third - what if you leave off the word search in the custom alert condition?
Finally, I think you could write a search that would run much faster:
sourcetype="access_combined_wcookie"
(uri_path="/en/US/*" OR uri_path="/web/fw/*" OR uri_path="/assets/*")
(dc="ALLN" OR host="cdcxweb-prod*")
| eval series=case(dc=="ALLN","Allen",
dc=="RCDN" AND host="cdcxweb-prod*","Rcdn",
host=="cdcxweb-prod*","OTH_cdcxweb".
1==1,"Unknown")
| where series!="Unknown"
| chart count by series
| eval totalHits = Rcdn + OTH_cdcxweb
| eval AllenPercentage=(Allen/totalHits)*100
| eval RcdnPercentage=(Rcdn/totalHits)*100
| eval SLA_STATUS=if(RcdnPercentage>80 AND AllenPercentage<20,1234)
| table Allen Rcdn totalHits AllenPercentage RcdnPercentage SLA_STATUS
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
