I have this query to return the server whose event count is less than 10 during a time interval.
index=np_dss (source="DSS:DATA" OR source="DSS:DATAHUB") | stats count by host | where count<10
This query returns 2 servers N01APL100 & N01APL101 of the total 3 servers, N01APL100, N01APL101, N01APL102.
All I need is to create an alert that must include the servers returned in the response (N01APL100 & N01APL101) are low in event count.
Eg: Server/s N01APL100 & N01APL101 are low in event count.
Can someone please help?
If you append this to your search, you can alert if the result count is greater than 0 and reference the field $result.message$
in your alert text.
| stats values(host) AS host
| eval host=mvjoin(host, " & "), message="Server/s ".host." are low in event count."
| fields message
Superb elliotproebstel ! Thanks a ton.