I want to get alerts for the situations which are different from below conditions:
Server a B C D
condition ü ü X X
X X ü ü
I want to check Splunk, for the above servers, if this condition is there then it's ok- otherwise, it will alert us via email.
PS: The above condition means either a and B is UP and C and D is down or A and B is Down and C and D is UP.
If there are any other conditions like all are UP or all are DOWN or A and C are UP or many more condition then it will alert us.
But I am not able to use Splunk to set this condition, can anyone please help me with this?
I am not sure if we can use LOOKUP table to check this one.
Hi @ruchijain,
I'm assuming you have a table that looks as follows :
A B C D
u u X X
u u u X
u X X X
X X u u
If that's the case then something like this will return all the events you need :
YourBaseSearch ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u)
Adding NOT will return all the events that should alert you :
YourBaseSearch NOT ( ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u) )
If you want you can share a sample event so I can help you build a search that's closer to what you will be using.
Cheers,
David
sample is right as below:
currently A and B is showing service status as status =running (sourcetype=service_stutus ---> where i am using service jboss status)
C and D are editorial servers and not running so status is stopped
I want to run the query when A and B are running and C and D are stopped or vice versa (A and B are stopped and C and D are running)
For rest of the status combination it should sent the alert
Hi @ruchijain,
I'm assuming you have a table that looks as follows :
A B C D
u u X X
u u u X
u X X X
X X u u
If that's the case then something like this will return all the events you need :
YourBaseSearch ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u)
Adding NOT will return all the events that should alert you :
YourBaseSearch NOT ( ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u) )
If you want you can share a sample event so I can help you build a search that's closer to what you will be using.
Cheers,
David
sample is right as below:
currently A and B is showing service status as status =running (sourcetype=service_stutus ---> where i am using service jboss status)
C and D are editorial servers and not running so status is stopped
I want to run the query when A and B are running and C and D are stopped or vice versa (A and B are stopped and C and D are running)
For rest of the status combination it should sent the alert