|
I am using the Manager to set-up a saved search/alert. Splunk runs a script every so often with an output like this: If "primary" ever changes to "backup", it alerts us via e-mail. "primary" is in a field called "ent_status". In the manager, I created a search like this: Using the menus-for-dummies, I told it "if number of events is greater than 0", send us an e-mail. Works great. But now I may be using a third party app to throttle the alerts (see my other question from earlier this morning). I need to re-format my alert to put into the "if custom condition is met" field. I'm having trouble doing this because "ent_channel" isn't an integer; I don't know how to do a compare. How do I translate "if number of events is greater than zero" into a search/alert command? I have the feeling I'm making this harder than it really is. Thank you very much. |
Refine your search:
- Apps & Questions
- Apps
- Questions
- Users
- Tags
One Answer:
Markdown Basics
- *italic* or _italic_
- **bold** or __bold__
- link:[text](http://url.com/ "Title")
- image?
- numbered list: 1. Foo 2. Bar
- to add a line break simply add two spaces to where you would like the new line to be.
- basic HTML tags are also supported
Tags:
Asked: 13 Sep '10, 13:43
Seen: 777 times
Last updated: 13 Sep '10, 13:58