Hello Splunkers,
I have following uniq fields in search results radioid, radiostatus, region
I need to write alerts to like this Action:
1.) If only one radio status changed to “down” within the same geographic area.
Open Ticket with severity “Major” and proceed with Troubleshooting.
2.) If two or more radio status changed to “down” within the same geographic area.
Open Ticket with severity “Critical” and proceed with Troubleshooting.
any help will be much appreciated .
Sample data would have been great. Also it is important, you scan for a specific period of time
Assuming, below is a sample set of data and you look for 1 hour time span
radioid=101 radiostatus=down region=Europe
radioid=102 radiostatus=up region=Europe
radioid=103 radiostatus=down region=Europe
radioid=104 radiostatus=down region=America
Sample test search
|makeresults
|eval raw_data="radioid=101 radiostatus=down region=Europe; radioid=102 radiostatus=up region=Europe; radioid=103 radiostatus=down region=Europe; radioid=104 radiostatus=down region=America"
| makemv delim=";" raw_data
| mvexpand raw_data| rename raw_data as _raw
| extract pairdelim="\n" kvdelim="="
| search radiostatus=down
| stats count(radiostatus) as radiostatus_down_count by region
| eval severity=if(radiostatus_down_count>1,"Critical","Major")
cheers
Thank you for quick help,
But i have more then 1000 radios devices all im doing is check status of field results and trying to work
if you post sample data, we can write the query.
the above core logic will work for millions of events. I've just provided a sample