Need a search to count number of rows present and if it is less that a certain value to send alert. Also, i want the list of rows in that same mail.
When you say "count number of rows present" do you mean the number of rows in a static table? If I'm understanding what you want is the count of rows in a table and the static table in an alert.
let me explain my problem
Lets assume i have index = App
has one service called login for which i have 4 nodes as login_1,login_2,login_3 & login_4
index= App host = Login_* | stats count by host |addcoltotals
So, it returns
host Count
Login_1 123124
Login_2 342345
Login_3 34235423
Login_4 4235235
addcoltotal 4
So, I want to set an alert when it this addcoltotal is less than 4. Which means one of the node is not sending data. Also, i want show the details of the one's which are sending data. So, the concerned person know for which node that person has to check.
Can you help me with it ?
There's great documentation online on scheduling alerts. Here's one link to get you started. Once you have saved your search as an alert, set the trigger on count of events returned. Here you can specify your rule of less than n to trigger the alert
http://docs.splunk.com/Documentation/Splunk/6.5.0/Alert/Definescheduledalerts
*UPDATED*
index=App host=Login_* | eventstats dc(host) as nohosts | stats count max(nohosts) as hostcount by host
Thanks for the input I know how to create alerts.
let me explain my problem
Lets assume i have index = App
has one service called login for which i have 4 nodes as login_1,login_2,login_3 & login_4
index= App host = Login_* | stats count by host |addcoltotals
So, it returns
host Count
Login_1 123124
Login_2 342345
Login_3 34235423
Login_4 4235235
addcoltotal 4
So, I want to set an alert when it this addcoltotal is less than 4. Which means one of the node is not sending data. Also, i want show the details of the one's which are sending data. So, the concerned person know for which node that person has to check.
Can you help me with it ?
Try the updated query. For trigger condition, use custom and `search hostcount<4'
Thanks buddy,
I guess the query is working fine. But, I am not getting any alerts still.
Is there any way i can check whether the alert is getting triggered or not. coz i am not receiving in my mail box.
I would start by creating a very simple alert index=_internal sourcetype="splunkd" | head 1
set alert where search sourcetype="splunkd"
. If that works, this should work.
Sundaresh r all the other alerts we have created are working fine.
Just this alert is not triggering
Then add this to the end of your query | where hostcount<4
and trigger alert on count>0
@Nishant_007 - Did the answers provided by sundareshr help to resolve your question? If yes, please click on "Accept" to close out your post. Thank you!
What updated Query??
Oh i see it now... 😄 sorry was looking at the wrong place