i have 30 servers, out of which I want to monitor splunk agents of only 4 servers
i have the following query.
index=_internal data_host=server1 OR data_host=server2 OR data_host=server3 OR data_host=server4 | stats count by data_host
how to create alert for the server which doesn't show up in the result table?
Alert should contain the server name which is not/stopped reporting data to splunk controller
For example:- server2 went down or the splunk agent of server2 went down for some reason.
Alert should say "Server2 is not reporting data"
... View more