custom alert condition for alert

anoopambli · ‎05-17-2013

Can someone help me with this, i am pretty new to splunk and getting stuck with a custom alert condition. This is the search which i am using.

index=coreops sourcetype="sitescope_runmonitor" "ERROR - skipped #5" | top host by remoteHost | rename host AS SiS_Manager

gives me following result,

remoteHost SiS_Manager Count percent
eiman122vwin ei0760vwin 1 100.00000

I want to use trigger if custom conditions to match the value in count column and alert if any value is found higher thatn 5. I tried to use count>5 but that doesnt work. Any help would be really appreciated.

Anoop

alacercogitatus · ‎05-17-2013

You could setup your search as such:

index=coreops sourcetype="sitescope_runmonitor" "ERROR - skipped #5" | top host by remoteHost | rename host AS SiS_Manager | where count > 4

and then in your alert, set the condition to "if number events > 0"

alacercogitatus · ‎05-17-2013

You want to use the "if number events" condition, not custom condition, and then put a 0 in the box.

anoopambli · ‎05-17-2013

Not sure if iam trying anything wrong in the custom condition, but getting this error message,

Cannot parse alert condition. Error in 'SearchParser': Missing a search command before '"'.

I am getting this error on Create alert, trigger if custom condition.

eroncampello · ‎01-23-2024

I was facing the same issue, I used the following condition and is working fine

search result_of_search > 10

custom alert condition for alert

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!