Alert Creation for indexes showing events less tha...

harshsri21 · ‎05-11-2017

I am new to splunk.

Trying to create an alert if any of the indexes shows event count less than the defined threshold. Below is my alert search query which i run every hour past 15.

Below is the table for my lookup:

index baseline_count
ip-bluecoat 3000000
ip-faas_siteminder 1000
ip-glux 2000000
ip-winevt 20000000

It is not working as expected. Can somebody please help in correcting the query or the approach.

Thanks in advance.

lguinn2 · ‎05-12-2017

I think that appendcols is not working as you might expect - it makes no attempt to order the rows so that they "match."
Try this instead:

| tstats count where index=ip-bluecoat OR index=ip-fass-siteminder OR index=ip-win-evt OR index=ip-glux by index
| append [ inputlookup feed_baseline_count.csv ]
| stats first(*) as * by index
| where count < baseline_count

Be sure that you are specifying the timerange properly when you run the search...

Alert Creation for indexes showing events less than threshold

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!