Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How To Trigger Event Based On Value Of Sorted Search Ouput

mallem
Path Finder
‎10-07-2010 03:21 PM

I have already setup a saved search to alert on license breaches, but I'm trying to setup a more proactive search that will run every hour to alert on hosts whose throughput is over X number of megabytes. The idea is to be turned onto message floods before we reach our license ceiling. The search criteria below returns the top offending host and the sum of indexed megabytes. I need to setup a scheduled search that will trigger an e-mail with the offending host and sum in the body of the e-mail if the value of the "sum(MB)" field is greater than some number. I'm sure there are advanced alert conditions that can do this, but I haven't been able to figure it out. Any help is appreciated.

index=_internal source=*metrics.log splunk_server="*" NOT "*splunk*" starthoursago = 1 | search group="per_host_thruput" | eval MB=kb/1024 | chart sum(MB) by series | sort - sum(MB) | head 1
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

mallem
Path Finder
‎10-12-2010 07:15 PM

That worked! Thank you! Interesting that piping to "head" pulls the bottom offending hosts, but changing to the "tail" pulls in the top offending hosts in the below example. Opposite of the behavior I expected.

index=_internal source=*metrics.log splunk_server="*" NOT "*splunk*" startminutesago=60 | search group="per_host_thruput" | eval MB=kb/1024 | stats sum(MB) as sumMB by series | sort sumMB | tail 10

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mallem
Path Finder
‎11-19-2010 03:27 PM

This search has been particularly helpful to me to nail down top offending servers. It can easily be modified to show indexing volume by source and sourcetype too.

index=_internal source=*metrics.log splunk_server="*" NOT "splunk" | search group="per_host_thruput" | eval MB=kb/1024 | stats sum(MB) as sumMB by series | sort sumMB | tail 10

0 Karma
Reply
Solved! Jump to solution

mallem
Path Finder
‎11-19-2010 02:59 PM

Sorry it took me so long to respond. The saved search to alert on license breaches is below:

index=_internal source=*license_audit.log LicenseManager-Audit | delta quotaExceededCount as quotadiff | stats first(quotadiff) as quotadiff | search quotadiff>0

0 Karma
Reply
Solved! Jump to solution
Solution

mallem
Path Finder
‎10-12-2010 07:15 PM

That worked! Thank you! Interesting that piping to "head" pulls the bottom offending hosts, but changing to the "tail" pulls in the top offending hosts in the below example. Opposite of the behavior I expected.

index=_internal source=*metrics.log splunk_server="*" NOT "*splunk*" startminutesago=60 | search group="per_host_thruput" | eval MB=kb/1024 | stats sum(MB) as sumMB by series | sort sumMB | tail 10
0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎10-14-2010 10:25 PM

If someone provided an answer that solved your issue, kindly click the "accept" checkbox next to so that it is marked as answered and the answerer receives their rep points for the help. Thanks!

0 Karma
Reply
Solved! Jump to solution

ftk
Motivator
‎10-08-2010 01:04 PM

I updated the answer. Check it out.

0 Karma
Reply
Solved! Jump to solution

ftk
Motivator
‎10-07-2010 04:33 PM

After scheduling your search you will want to select "if custom condition is met" as your alarm action. Then put the following into your Custom condition search:

search sum(MB) > 50

where 50 is the "some number" you are referring to in your question.

I personally would remove the sort and head off of your search and replace chart with stats as such:

index=_internal source=*metrics.log splunk_server="*" NOT "*splunk*" starthoursago = 1 | search group="per_host_thruput" | eval MB=kb/1024 | stats sum(MB) by series

and then use the custom condition search

search sum(MB) > 50

as this will alert you on all violating hosts, not just the top violating host.

For more info on alert conditions see http://www.splunk.com/base/Documentation/latest/User/SetAlertConditionsFromScheduledSearches

[EDIT]: Yeah looks like the search on the sum(MB) isn't happy. You can work around it by giving the sum a name, as such: Using your query:

index=_internal source=*metrics.log splunk_server="*" NOT "*splunk*" starthoursago = 1 | search group="per_host_thruput" | eval MB=kb/1024| chart sum(MB) as sumMBby series | sort - sumMB | head 1

or my version

index=_internal source=*metrics.log splunk_server="*" NOT "*splunk*" | search group="per_host_thruput" | eval MB=kb/1024 | stats sum(MB) as sumMB by series

And then setting your custom condition to 

search sumMB > 50

This will work.

Reply
Solved! Jump to solution

eclypse
Engager
‎11-12-2010 07:38 PM

mallem, I'd love if you could share the search you are using to alert on license breaches.

0 Karma
Reply
Solved! Jump to solution

ftk
Motivator
‎10-08-2010 01:03 PM

You are right. The search on sum(MB) isn't happy -- work around it by renaming the sum field. I edited the answer.

0 Karma
Reply
Solved! Jump to solution

mallem
Path Finder
‎10-07-2010 07:40 PM

I tried using your recommended expression, along with "search sum(MB) > 50" as the custom condition search, but it doesn't trigger any e-mails. I reduced the "search sum(MB)" to "> 1", but still nothing. I retried using my search expression. Still nothing.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...