Alerting

Creating an alert using the result obtained

Nidheesh
Explorer

I have this query to return the server whose event count is less than 10 during a time interval.

index=np_dss (source="DSS:DATA" OR source="DSS:DATAHUB") | stats count by host | where count<10 

This query returns 2 servers N01APL100 & N01APL101 of the total 3 servers, N01APL100, N01APL101, N01APL102.

All I need is to create an alert that must include the servers returned in the response (N01APL100 & N01APL101) are low in event count.

Eg: Server/s N01APL100 & N01APL101 are low in event count.

Can someone please help?

Tags (1)
0 Karma

elliotproebstel
Champion

If you append this to your search, you can alert if the result count is greater than 0 and reference the field $result.message$ in your alert text.

| stats values(host) AS host 
| eval host=mvjoin(host, " & "), message="Server/s ".host." are low in event count." 
| fields message

Nidheesh
Explorer

Superb elliotproebstel ! Thanks a ton.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...