Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert based on the value of a field

bshamsian
Path Finder
‎07-27-2012 11:53 AM

Can someone tell me or point me in the direction of setting up an alert based on the value of a field. Basically the field is an integer indicating some queue size and if it goes above some threshold I would like an alert/email be sent out.

Reply

cburr2012
Path Finder
‎07-27-2012 12:38 PM

bshamsian,

I think you want to do something like this.

index=this_index query_terms_here | stats count by value | where value>10

Then just set your alert to trigger when # of events is greater than 0.

(example)

index="Windows" sourcetype=WinEventLog:Security | stats count by host | where host>100

Then set your alert.

Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...