How to generate a search to count the number of ro...

Nishant_007 · ‎10-24-2016

Need a search to count number of rows present and if it is less that a certain value to send alert. Also, i want the list of rows in that same mail.

Sarmbrister · ‎10-24-2016

When you say "count number of rows present" do you mean the number of rows in a static table? If I'm understanding what you want is the count of rows in a table and the static table in an alert.

Nishant_007 · ‎10-25-2016

let me explain my problem
Lets assume i have index = App
has one service called login for which i have 4 nodes as login_1,login_2,login_3 & login_4

index= App host = Login_* | stats count by host |addcoltotals

So, it returns
host Count
Login_1 123124
Login_2 342345
Login_3 34235423
Login_4 4235235
addcoltotal 4

So, I want to set an alert when it this addcoltotal is less than 4. Which means one of the node is not sending data. Also, i want show the details of the one's which are sending data. So, the concerned person know for which node that person has to check.

Can you help me with it ?

sundareshr · ‎10-24-2016

There's great documentation online on scheduling alerts. Here's one link to get you started. Once you have saved your search as an alert, set the trigger on count of events returned. Here you can specify your rule of less than n to trigger the alert

http://docs.splunk.com/Documentation/Splunk/6.5.0/Alert/Definescheduledalerts

*UPDATED*

index=App host=Login_* | eventstats dc(host) as nohosts | stats count max(nohosts) as hostcount by host

Nishant_007 · ‎10-24-2016

Thanks for the input I know how to create alerts.

let me explain my problem
Lets assume i have index = App
has one service called login for which i have 4 nodes as login_1,login_2,login_3 & login_4

index= App host = Login_* | stats count by host |addcoltotals

So, it returns
host Count
Login_1 123124
Login_2 342345
Login_3 34235423
Login_4 4235235
addcoltotal 4

So, I want to set an alert when it this addcoltotal is less than 4. Which means one of the node is not sending data. Also, i want show the details of the one's which are sending data. So, the concerned person know for which node that person has to check.

Can you help me with it ?

sundareshr · ‎10-25-2016

Try the updated query. For trigger condition, use custom and `search hostcount<4'

Nishant_007 · ‎10-27-2016

Thanks buddy,

I guess the query is working fine. But, I am not getting any alerts still.
Is there any way i can check whether the alert is getting triggered or not. coz i am not receiving in my mail box.

sundareshr · ‎10-27-2016

I would start by creating a very simple alert index=_internal sourcetype="splunkd" | head 1 set alert where search sourcetype="splunkd". If that works, this should work.

Nishant_007 · ‎10-27-2016

Sundaresh r all the other alerts we have created are working fine.

Just this alert is not triggering

sundareshr · ‎10-28-2016

Then add this to the end of your query | where hostcount<4 and trigger alert on count>0

aaraneta_splunk · ‎11-07-2016

@Nishant_007 - Did the answers provided by sundareshr help to resolve your question? If yes, please click on "Accept" to close out your post. Thank you!

Nishant_007 · ‎10-27-2016

What updated Query??

Nishant_007 · ‎10-27-2016

Oh i see it now... 😄 sorry was looking at the wrong place

How to generate a search to count the number of rows present and if it is less that a certain value to send an alert?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life