Hey,
I've set up an alarm for a search which is very easy:
index=radius radius_login_status="Login OK:"
This gives me quite many results.
Now I've set up the alarm with trigger alarm when the number of results is higher then 5.
The search is executed every 5 min. and the results are between 50 and 2000. But no alarm is fired!
I don't understand why 😕
Thanx
Frank
Try setting your trigger in SPL rather than in the alert settings
index=radius radius_login_status="Login OK:"
| stats count
| where count>5
Still no alarm 😞
How are you testing this? How is your alert setup? Are you looking for a count greater than 5 in a specific timespan? What timespan are you looking for?
This works on my end
| makeresults count=6
| stats count
| where count>5
| eval alarm=if(count>5,"ALERT","")
| fields alarm
The output of this will be ALERT of course.
But I'm trying to set up an alert for the results of a search.
I got around 1000 entries per 5 minutes and the cronjob is running every five minutes. I can check the job out and I will get 1000 results.
But there is no alert although I set the Trigger Conditions to number of results and then is greater than 10.
Your not following the advice I'm giving you here..
You need to setup the alert in SPL then change your alert value to "custom" then fill in count
for the value.
I probably don't unterstand.
So you mean in alert settings I should put in the following search:
index=radius radius_login_status="Login OK:"
| stats count
| where count>5
and then on alert value custom search count > 5
This is not working either.
No. Select "custom" in your alert actions. Then the field below it will be empty. In that empty field, put count
I got the following error when saving:
"Cannot parse alert condition. Search Factory: Unknown search command 'count'."
My bad, it should look like this
index=radius radius_login_status="Login OK:"
| stats count
Have that empty field under "custom" as search count>5
I had this for some time but didn't work
Tried it again but no alarm.
Works on mine.. Not sure anyone will be able to help you with such little information
I'm willing to give more information but I don't know what more... Setting up an alarm should be quite easy there is not much you can do wrong... When I check the results I DO get like 1000 and when I set the trigger to fire when there are more then 10 results it's no rocket science...
I'm confused...
It's very easy to setup alerts in Splunk.
My second comment from the top asks about the time range. If your timespan is not returning results than it will not alert. What is your timerange your searching over? Can you post pictures showing that timerange with no results being returned?
It should fire when there are more then x results. At the moment I'm testing with 10 results. As you can see the search give about 500 results atm.