Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to see if two different hosts have failure event records?

riotto
Path Finder
‎07-25-2016 02:54 PM

I need to return a "yes"
if (host=A has events > 0 and host=B has events > 0)
else '"no"

Tags (2)
0 Karma
Reply

riotto
Path Finder
‎07-26-2016 06:22 AM

sundareshr,

Won't that search give either host=A or host=B (...or maybe both) ? I need to return a "yes' when I have failure record from BOTH host=A and host=B

0 Karma
Reply

sundareshr
Legend
‎07-25-2016 05:14 PM

Try this

index=yourindex host=A OR host=B "failure" | stats count | eval result=if(count>0, "Yes", "No")
0 Karma
Reply

riotto
Path Finder
‎07-26-2016 06:26 AM

Won't that return a "yes" if either host A or host B returns an event?
I need when both host a and host b return an event

0 Karma
Reply

sundareshr
Legend
‎07-26-2016 06:30 AM

Ah!!! Try this

index=yourindex host=A OR host=B "failure" | stats dc(host) as hosts | eval result=if(hosts=2, "Yes", "No")
0 Karma
Reply

riotto
Path Finder
‎07-26-2016 06:35 AM

Yes I believe that will do it, you da man...Is there a way to pass the value of 'result' to a windows batchfile
that will be triggered to run when this alert runs?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...