Solved: How would I go about having an alert fire at a giv...

dannyze · ‎02-27-2020

How would I go about having an alert set at a given threshold ?

When I run the following, I sometimes get incomplete results in the stats table due to not every field meeting the number 6
index=_internal AND NOT email="blank@domain.com"
| stats count by email, Message, client.ipAddress, geographical.city
| where count>6
| sort -count

When I try the following, I get an alert for 6 total events with no threshold criteria met.
Trigger Condition:
Number of Results is > 6.

Desired outcome would be a criteria of the set threshold met and only when it is met. For example, an alert to fire on the 'count' of a given event occurring 6 times

Appreciate any tips in advance

arjunpkishore5 · ‎02-27-2020

In your query, you are already filtering events having count>6. So you trigger condition should be

Trigger Condition:
Number of Results is > 0

Trigger condition purely works on the results of the query and does not modify the query itself.

View solution in original post

dannyze · ‎02-27-2020

Thank you , modified my Trigger Condition accordingly

arjunpkishore5 · ‎02-27-2020

In your query, you are already filtering events having count>6. So you trigger condition should be

Trigger Condition:
Number of Results is > 0

Trigger condition purely works on the results of the query and does not modify the query itself.

How would I go about having an alert fire at a given threshold ?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life