Hi, Our web server is fronted by a load balancer with 3 different VIPs
I am using the search string below to see the stats
sourcetype="access_log" (ip="10.10.10.10" OR ip="11.11.11.11" OR ip="12.12.12.12") | stats count by ip
On the other hand, I would like to get the alert if any of the count is 0.
Can you shed some light on the search string?
Thanks!
A clean approach is to create a CSV lookup file and join it with your given query:
Lookup file in $SPLUNK_HOME/etc/apps/search/lookups/loadbalancers.csv:
ip
10.10.10.10
11.11.11.11
12.12.12.12
Then you should be able to create an alert using the following query:
| inputlookup loadbalancers.csv | join type=outer ip [ search sourcetype="access_log" (ip="10.10.10.10" OR ip="11.11.11.11" OR ip="12.12.12.12") | stats count by ip ] | where NOT count>0
(using the condition "number of events" greater than 0)
A clean approach is to create a CSV lookup file and join it with your given query:
Lookup file in $SPLUNK_HOME/etc/apps/search/lookups/loadbalancers.csv:
ip
10.10.10.10
11.11.11.11
12.12.12.12
Then you should be able to create an alert using the following query:
| inputlookup loadbalancers.csv | join type=outer ip [ search sourcetype="access_log" (ip="10.10.10.10" OR ip="11.11.11.11" OR ip="12.12.12.12") | stats count by ip ] | where NOT count>0
(using the condition "number of events" greater than 0)
Beautiful solution.
Much appreciated!