Solved: How to create Alerts

ncbshiva · ‎05-09-2013

Hi

This is my search query-source=***************************************** | table ORDERID "Delay(in days)"

This is the result of the search query
ORDERID Delay(in days)
1 269150751 4.00
2 269126721 7.00
3 269157489 21.00
4 269153074 114.00
5 269159590 217.00
6 269110381 118.00
7 269163859 24.00

I want to create Alerts for those ORDERIDs whose Delay is greater than 100.

Please tell what type of alert i should select and important parameters

marellasunil · ‎05-10-2013

You can use if condition as well,
..| eval delayalert=if(Delay>100, "Delay for the ".ORDERID." more than 100days", "OK") | table ORDERID, Delay, delayalert

In the alert, there is a dropdown in the condition, select "if custom condition is met" & type - where delayalert!="OK".

It sends an e-mail with the delayalert which ORDERID is taking more than 100days

View solution in original post

marellasunil · ‎05-10-2013

The above one sends an e-mail only when the ORDERID is more than 100. otherwise it do't send the e-mail. If u want the e-mail to be sent always irrespectibe of the status, schdule the e-mail.

marellasunil · ‎05-10-2013

You can use if condition as well,
..| eval delayalert=if(Delay>100, "Delay for the ".ORDERID." more than 100days", "OK") | table ORDERID, Delay, delayalert

In the alert, there is a dropdown in the condition, select "if custom condition is met" & type - where delayalert!="OK".

It sends an e-mail with the delayalert which ORDERID is taking more than 100days

kristian_kolb · ‎05-10-2013

You can add a filter to your search to only show those ORDERID's that are more than 100 days delayed.

your base search | where "Delays (in days)">100|table ORDERID "Delays (in days)"

Then set a schedule for the search and alert condition "always". This will be more like a scheduled report than an alert.

How to create Alerts

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!