I am very new to Splunk and I am working on building an alert that will trigger when a field has more than 10 unique values.
index=network sourcetype=cisco | dedup host | stats count by host
I am having trouble with how to trigger an alert when the number of unique hosts are 10 or greater in a 20 minute period. Any guidance on how I can do this would be great.
Thanks!
index=network sourcetype=cisco | stats count by host
Set your alert trigger condition to be Number of Results is greater than 9
And to do 20 minutes you can set your alert to use a cron schedule */20 * * * *
And set the time range to Relative - 20 minutes ago
OR
Change your search to get distinct count of hosts
index=network sourcetype=cisco | stats dc(host) as hosts_count | where hosts_count > 9
and set your alert to look for greater than 0
@elliotproebstel could you please suggest what's wrong in this
index=network sourcetype=cisco | stats count by host
Set your alert trigger condition to be Number of Results is greater than 9
And to do 20 minutes you can set your alert to use a cron schedule */20 * * * *
And set the time range to Relative - 20 minutes ago
OR
Change your search to get distinct count of hosts
index=network sourcetype=cisco | stats dc(host) as hosts_count | where hosts_count > 9
and set your alert to look for greater than 0
This is close, but I believe the search should be:
index=network sourcetype=cisco
| stats count by host
If you run the search with | stats dc(host)
, you will always get exactly one result - the distinct count of host values.
Another note for @geerkenr - you don't need to dedup before calling stats, in this instance, since you aren't using the counts for anything. Calling dedup first will just make the search less efficient.
According to the question he wanted the distinct count of host values: " when the number of unique hosts are 10 or greater "
Maybe I read the question wrong?
No, I read the requirements the same way - but it's a sneaky thing here. If you use |stats dc(host)
, you will get exactly one result - a count of unique hosts. But then if you set the alert to only trigger if the number of results is greater than 10, you will never alert. Let's say the events returned from
index=network sourcetype=cisco
include 25 unique host values. Then this:
index=network sourcetype=cisco
| stats dc(host)
will return a single result: dc(host)=25
. And that won't trigger the alert, because the alert will see a single result. But this:
index=network sourcetype=cisco
| stats count by host
will return 25 results - each result will be a unique host value, followed by a count. And if there are more than 10 results, as desired, the alert will trigger.
There's a way to use your search structure to get the desired result, but it's a little less intuitive in the UI. You'd need to set a custom trigger and do something like dc(host)>=10
(and it would be more straightforward if the stats command were | stats dc(host) AS host_count
, and the custom trigger could be host_count>=10
, because I'm honestly not 100% sure whether the dc(host)>=10
would require any quotes around the field name.
Anyway, much longer response than you probably wanted, but I thought it would be useful to expand on this.
Oh duh! Yes! I was trying to solve it two ways and put them into one that doesn't work instead of separating them and explaining. Thank you for correcting that.
Absolutely. 🙂 The rest of the answer was written with great detail. If you revise, I'll upvote it, because it's a useful answer for folks!
I fixed it and added both options 🙂 thank you!
index="index_name" | stats count | where count>1000
and trigger condition "number of results" "is greater than 0"
Its not triggering alert in this condition