Hi, I am trying to get a table type of alerting but I am not getting the output
index = ops host = Sr*xxxx* sourcetype=iislogs (HttpStatusCode =400 OR HttpStatusCode = 401 OR HttpStatusCode = 403 OR HttpStatusCode = 404 OR HttpStatusCode = 405) AND (*loadbalancer* OR *gateway* OR *IFT* OR *widget* ) NOT ( *.png OR *.gif OR *.css OR *fonts* OR *.txt OR *.gif OR *.ico OR *.jpg OR *.pdf OR *.exe OR *.cgi OR *.swf OR *.vmd OR *.xsl OR *.xml OR *qualy* OR *woff* OR *.bak OR *.png OR *.svg OR *.ttf OR *.ini OR *.temp OR *.data OR *.tar OR *curl* OR *.po OR *.mo OR *.tpl OR *.tmpl OR *script*) | bin _time span=5m |stats count as avg_count by _time | where avg_count > 4 | eval alert="'splunk:".host.";crit;welcome to splunk Error ".host.";Process;rr_os;mmtt;tt_3'" | table alert
I am expecting a table form but I don't get anything. Could you please help.
Thanks,
Dinesh
after you run stats count as avg_count by _time
there is no longer a field called 'host'
You can resolve this by using by _time, host
instead.
index=ops host=Sr*xxxx* sourcetype=iislogs (HttpStatusCode=400 OR HttpStatusCode=401 OR HttpStatusCode=403 OR HttpStatusCode=404 OR HttpStatusCode=405) AND (*loadbalancer* OR *gateway* OR *IFT* OR *widget* ) NOT ( *.png OR *.gif OR *.css OR *fonts* OR *.txt OR *.gif OR *.ico OR *.jpg OR *.pdf OR *.exe OR *.cgi OR *.swf OR *.vmd OR *.xsl OR *.xml OR *qualy* OR *woff* OR *.bak OR *.png OR *.svg OR *.ttf OR *.ini OR *.temp OR *.data OR *.tar OR *curl* OR *.po OR *.mo OR *.tpl OR *.tmpl OR *script*)
| bin _time span=5m
| stats count as avg_count by _time, host
| where avg_count > 4
| eval alert="'splunk:".host.";crit;welcome to splunk Error ".host.";Process;rr_os;mmtt;tt_3'"
| table alert
after you run stats count as avg_count by _time
there is no longer a field called 'host'
You can resolve this by using by _time, host
instead.
index=ops host=Sr*xxxx* sourcetype=iislogs (HttpStatusCode=400 OR HttpStatusCode=401 OR HttpStatusCode=403 OR HttpStatusCode=404 OR HttpStatusCode=405) AND (*loadbalancer* OR *gateway* OR *IFT* OR *widget* ) NOT ( *.png OR *.gif OR *.css OR *fonts* OR *.txt OR *.gif OR *.ico OR *.jpg OR *.pdf OR *.exe OR *.cgi OR *.swf OR *.vmd OR *.xsl OR *.xml OR *qualy* OR *woff* OR *.bak OR *.png OR *.svg OR *.ttf OR *.ini OR *.temp OR *.data OR *.tar OR *curl* OR *.po OR *.mo OR *.tpl OR *.tmpl OR *script*)
| bin _time span=5m
| stats count as avg_count by _time, host
| where avg_count > 4
| eval alert="'splunk:".host.";crit;welcome to splunk Error ".host.";Process;rr_os;mmtt;tt_3'"
| table alert
yes that worked @nickhillscpl