Solved: Custom alert condition

Branden · ‎09-13-2010

I am using the Manager to set-up a saved search/alert. Splunk runs a script every so often with an output like this:

Active channel: primary channel

If "primary" ever changes to "backup", it alerts us via e-mail. "primary" is in a field called "ent_status".

In the manager, I created a search like this:

sourcetype="echk" ent_channel=backup

Using the menus-for-dummies, I told it "if number of events is greater than 0", send us an e-mail. Works great.

But now I may be using a third party app to throttle the alerts (see my other question from earlier this morning). I need to re-format my alert to put into the "if custom condition is met" field.

I'm having trouble doing this because "ent_channel" isn't an integer; I don't know how to do a compare. How do I translate "if number of events is greater than zero" into a search/alert command?

I have the feeling I'm making this harder than it really is.

Thank you very much.

ziegfried · ‎09-13-2010

| stats count | where count>0

View solution in original post

ziegfried · ‎09-13-2010

| stats count | where count>0

Branden · ‎09-13-2010

Now that was easy, heh. Thanks!

Custom alert condition

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?