When I create new alert, I choose Custom Trigger Condition. Is it possible if I write multiple trigger conditions use AND/ OR operator:
search count=0 AND category= something
Where category is from lookup table.
So, one thing that you have to remember is that you need to have the data present in your output for the alert condition to pick it up. E.g. You have to have category in your final table or output.
For this, would you be able to modify your search to look like this?
sourcetype=abcd user=john ation=login
|eval Date=strftime(now(), "%m/%d/%Y")
|lookup mydates.csv Date OUTPUTNEW category
|search NOT category=holiday
|table category Date
|stats count(action)
and then your alert condition could be:
search count =0
I think the reason that you are not getting anything with your alert condition is since you are doing a stats, the category field is no longer present anymore in the final result, so I would think that you either need to make it available in your final result, or filter it out in your search.
it is possible.
If you are able to retrieve trigger condition in a simple run time search, there is no reason why the same search will not work in an alert.
I do suspect however, that you are facing some issues in your search/trigger condition. Can you eleaborate a bit more?
@Sukisen1981 Thanks for your response! I have a search to get user login activity counts. I need to trigger an alert to send an email if user login count = 0. I run this every hour but would like to exclude weekends and holidays as there will not be login activities anyway. I thought about many ways to do this and come down to this one now:
1. I create holidays.csv file and upload to lookups. The file looks like this:
Data, category
1/1/2019,holiday
My search would be:
sourcetype=abcd user=john ation=login
|eval Date=strftime(now(), "%m/%d/%Y")
|lookup mydates.csv Date OUTPUTNEW category
|table category Date
|stats count(action)
In Alert setting, I set cron expression as:
00 * * * 1-5 (this will exclude all weekends)
In Custom Alert Trigger Condition, I am thinking of setting condition like:
search count=0 AND NOT category=holiday
However, this did not work as I expected.
@lucy2019first, your search request contains typo in "action" field
sourcetype=abcd user=john ation=login
and I'm not sure but the mistake seems to be what you use stats count(action) after table without action field.
Did you check the request in a regular search?
what happens if you slightly modify this to search count=0|where category !="holiday"
??
@Sukisen1981 With or without 'where category ...' clause, the results were the same. Looks like category field output empty string.