- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- How to create a search condition in Splunk where a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to get alerts for the situations which are different from below conditions:
Server a B C D
condition ü ü X X
X X ü ü
I want to check Splunk, for the above servers, if this condition is there then it's ok- otherwise, it will alert us via email.
PS: The above condition means either a and B is UP and C and D is down or A and B is Down and C and D is UP.
If there are any other conditions like all are UP or all are DOWN or A and C are UP or many more condition then it will alert us.
But I am not able to use Splunk to set this condition, can anyone please help me with this?
I am not sure if we can use LOOKUP table to check this one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ruchijain,
I'm assuming you have a table that looks as follows :
A B C D
u u X X
u u u X
u X X X
X X u u
If that's the case then something like this will return all the events you need :
YourBaseSearch ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u)
Adding NOT will return all the events that should alert you :
YourBaseSearch NOT ( ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u) )
If you want you can share a sample event so I can help you build a search that's closer to what you will be using.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sample is right as below:
currently A and B is showing service status as status =running (sourcetype=service_stutus ---> where i am using service jboss status)
C and D are editorial servers and not running so status is stopped
I want to run the query when A and B are running and C and D are stopped or vice versa (A and B are stopped and C and D are running)
For rest of the status combination it should sent the alert
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ruchijain,
I'm assuming you have a table that looks as follows :
A B C D
u u X X
u u u X
u X X X
X X u u
If that's the case then something like this will return all the events you need :
YourBaseSearch ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u)
Adding NOT will return all the events that should alert you :
YourBaseSearch NOT ( ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u) )
If you want you can share a sample event so I can help you build a search that's closer to what you will be using.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sample is right as below:
currently A and B is showing service status as status =running (sourcetype=service_stutus ---> where i am using service jboss status)
C and D are editorial servers and not running so status is stopped
I want to run the query when A and B are running and C and D are stopped or vice versa (A and B are stopped and C and D are running)
For rest of the status combination it should sent the alert
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
