Solved: Count By host

hartfoml · ‎10-30-2012

I am using this statement below to run every hour of the day looking for the value that is 1 on multiple hosts named in the search. A good startup is where I get 2 or more of the same event in one hour. If I get 0 then the system is running if I get one the system is not running.

search | timechart span=h count by host | where count < 2

I am expecting a total count of 2 of more for each host and if I get an event were count per host is less than 2 I want to get an alert. I actually would like to get an alert if the count is grater than 0 but less than 2. The above statement is not working for me. Any suggestions

gkanapathy · ‎10-30-2012

Your problem may be addressed by: http://splunk-base.splunk.com/answers/62196/any-way-to-return-zero-result-count-stats-of-a-field-suc... which is the same as http://splunk-base.splunk.com/answers/23839/include-zero-count-in-stats-count

View solution in original post

gkanapathy · ‎10-30-2012

Your problem may be addressed by: http://splunk-base.splunk.com/answers/62196/any-way-to-return-zero-result-count-stats-of-a-field-suc... which is the same as http://splunk-base.splunk.com/answers/23839/include-zero-count-in-stats-count

Count By host

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!