How to edit my search to send an email if the coun...

jampar12 · ‎06-26-2017

I'm new to Splunk and I have the Search where I check one Server for 7 Services and State=Stopped and run a stats count at the end and I'd to send out a email if the count > 0

index="*windows"  host=Q9BVPAVACT01 sourcetype=WinHostMon source=service Name=CyberTechDatabase* OR (index="*windows"  host=Q9BVPAVACT01   sourcetype=WinHostMon source=service Name="CybertechmediaManager" ) OR (index="*windows"  host=Q9BVPAVACT01 sourcetype=WinHostMon source=service Name=CybertechlicenseService   )    OR  (index="*windows"  host=Q9BVPAVACT01   sourcetype=WinHostMon source=service Name="CyberTechSystemManager" ) OR (index="*windows"  host=Q9BVPAVACT01   sourcetype=WinHostMon source=service Name="CybertechUserManager" )  OR (index="*windows"  host=Q9BVPAVACT01   sourcetype=WinHostMon source=service Name="MySQL" ) OR  (index="*windows"  host=Q9BVPAVACT01   sourcetype=WinHostMon source=service Name="CybertechRecord*" ) State=Stopped | stats  count

mbuehler_splunk · ‎06-26-2017

aaraneta,

So the first thing you want to do is click save as:
![alt text][1]

Then after you click this, select Alert:

[1]: /storage/temp/207661-cap1.jpgThen You will want to select the time window that you want the search to run in and the frequency, then select the add action from the triggered actions section, selecting send email:

If you have not setup your email server here is a guide to doing that.

Splunk Email setup and Configuration

jkat54 · ‎06-26-2017

You can greatly simplify this search too:

ex:
index=*windows host=Q9BVPAVACT01 State=Stopped source=service| stats count by Name | where count > 0

How to edit my search to send an email if the count of a down server is greater than 0?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!