Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help with Searching data for offline and online events

dglass0215
Path Finder
‎03-27-2019 08:03 AM

Hello,

I have a log file that I am indexing that has events that log the word "offline" and the word "online". I want to be alerted when the event offline occurs so I am currently searching for "offline" in my sourcetype and sending out an email. Then I want to be alerted when the event online occurs. Simple right? Similar query similar alert.

The problem is that when the log file has the word offline, it has it in there MANY times until the word online occurs. And I don't want to bombard email every 5 minutes with another alert. So I have been playing around with throttling however this is not perfect and I can miss a real offline alert.

Can anyone help with coming up with a search and alert methodology that will be full proof in making sure I always get an alert when offline and an alert when online?

Thanks!

Tags (1)
0 Karma
Reply

sduff_splunk
Splunk Employee
Splunk Employee
‎03-27-2019 05:40 PM

Do you have a host or server associated with the offline and online states?

What you could do is write the state of any offline hosts out to a file ( |outputcsv or |outputlookup). If a host already exists in the file, don't raise an alert about it. Remove the host from the file once you see a corresponding online message

0 Karma
Reply

dglass0215
Path Finder
‎04-01-2019 06:21 AM

I have the events already indexed in Splunk. So I can already query if the service is offline or online. The problem comes with a methodology for alerting via email. I could simply just run an alert every 5 minutes and send an email however would you really want to receive an email every 5 minutes telling you the service is down?

That's what I am trying to avoid. To figure out a way to make sure we get an email just once when offline and then an email once back online.

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...