Solved: Splunk Alert on defined condition

mbasharat · ‎02-25-2020

Hi,

I have a SPL search that is producing counts for two values for my monitored application's transactions, Successful and Failure.

I need a conditional alert that triggers every time Failure count exceeds Successful count by at least 10 within 5 mins.

My search is running every 5 minutes looking back at data that comes within 5 minutes. I need custom Trigger Condition under Alert's Edit please.

Sample (Normal):
result count
Successful 100
Failure 10

Sample (Alert):
result count
Successful 100
Failure 111

Thanks in advance!

richgalloway · ‎02-25-2020

I find it easier to have the alert trigger when the number of results is not zero. Then it's just a matter of making the search return no results except in the error condition.

Share your current SPL and we can help craft it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎02-25-2020

I find it easier to have the alert trigger when the number of results is not zero. Then it's just a matter of making the search return no results except in the error condition.

Share your current SPL and we can help craft it.

---
If this reply helps you, Karma would be appreciated.

Splunk Alert on defined condition

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!