https://community.splunk.com/t5/Splunk-ITSI/Create-e-mail-alerts-for-inactive-and-unstable-entities/m-p/695500#M2909 <P>You could use a search like this to check if the entities mapped in a service are receiving events within a specified time frame, if not you could consider them unstable and alert<BR /><BR /></P><LI-CODE lang="markup">| inputlookup itsi_entities append=true | rename services._key as service_key | rename title as entity | fields entity, service_key | where isnotnull(service_key) | mvexpand service_key | inputlookup service_kpi_lookup append=true | eval key=coalesce(service_key,_key) | stats values(entity) as host, values(title) as service by key | mvexpand host | dedup host | fields host | eval host=lower(host) | join type=outer host [| metadata type=hosts index=_internal | eval host=lower(host) | eval status = if(lastTime&gt;now()-180,1,0)] | eval status=if(status=1,1,0)</LI-CODE><P>&nbsp;</P> Wed, 07 Aug 2024 05:53:19 GMT proyleJDS 2024-08-07T05:53:19Z https://community.splunk.com/t5/Splunk-ITSI/Create-e-mail-alerts-for-inactive-and-unstable-entities/m-p/690086#M2882 <P>Hi guys!</P><P>how to proceed to create alerts on inactive and unstable entities .</P> Sat, 08 Jun 2024 14:28:25 GMT https://community.splunk.com/t5/Splunk-ITSI/Create-e-mail-alerts-for-inactive-and-unstable-entities/m-p/690086#M2882 rmo23 2024-06-08T14:28:25Z https://community.splunk.com/t5/Splunk-ITSI/Create-e-mail-alerts-for-inactive-and-unstable-entities/m-p/690092#M2883 <P>Until you can tell us what data you have, what field/value in that data indicates inactive and unstable entities, and how you want the output to look like, volunteers are not going to help you.</P> Sat, 08 Jun 2024 19:53:04 GMT https://community.splunk.com/t5/Splunk-ITSI/Create-e-mail-alerts-for-inactive-and-unstable-entities/m-p/690092#M2883 yuanliu 2024-06-08T19:53:04Z https://community.splunk.com/t5/Splunk-ITSI/Create-e-mail-alerts-for-inactive-and-unstable-entities/m-p/690093#M2884 <P>hi<BR />I manage to monitor the servers divided into services via the ITSI.<BR />However, I would like to receive email alerts when some of my servers change state, either inactive or unstable, for better reactivity.</P> Sat, 08 Jun 2024 20:09:58 GMT https://community.splunk.com/t5/Splunk-ITSI/Create-e-mail-alerts-for-inactive-and-unstable-entities/m-p/690093#M2884 rmo23 2024-06-08T20:09:58Z https://community.splunk.com/t5/Splunk-ITSI/Create-e-mail-alerts-for-inactive-and-unstable-entities/m-p/690121#M2885 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256947">@rmo23</a>&nbsp;,</P><P>as also&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33901">@yuanliu</a>&nbsp;said, you should share more details about your infrastructure.</P><P>Anyway, in ITSI there's an asset inventory that should be complete (otherwise you have a very bigger issue!).</P><P>So,&nbsp; you could use the lookup containing these asset (I don' t remember its name) and run a search like the following:</P><LI-CODE lang="markup">| tstats count where index=* BY host | append [ | inputlookup your_asset_lookup | eval count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Sun, 09 Jun 2024 10:03:10 GMT https://community.splunk.com/t5/Splunk-ITSI/Create-e-mail-alerts-for-inactive-and-unstable-entities/m-p/690121#M2885 gcusello 2024-06-09T10:03:10Z https://community.splunk.com/t5/Splunk-ITSI/Create-e-mail-alerts-for-inactive-and-unstable-entities/m-p/690139#M2886 <P>hi<BR />Indeed, thanks to ITSI, I can have data on the metrics, the status of my servers, active or inactive, I can predict the status of my infrastructure, etc. I just want to receive email alerts only when my servers are inactive, I only see this status when I'm in ‘Entity Overview’ if it's possible to configure an email alert on it.</P> Sun, 09 Jun 2024 15:38:27 GMT https://community.splunk.com/t5/Splunk-ITSI/Create-e-mail-alerts-for-inactive-and-unstable-entities/m-p/690139#M2886 rmo23 2024-06-09T15:38:27Z https://community.splunk.com/t5/Splunk-ITSI/Create-e-mail-alerts-for-inactive-and-unstable-entities/m-p/690143#M2887 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256947">@rmo23</a>&nbsp;,</P><P>at first see if there is the way (I don't know very deeply ITSI) to enable as action the email sending.</P><P>If not extract the search from this dashboard and create a custom alert.</P><P>Ciao.</P><P>Giuseppe</P> Sun, 09 Jun 2024 16:09:56 GMT https://community.splunk.com/t5/Splunk-ITSI/Create-e-mail-alerts-for-inactive-and-unstable-entities/m-p/690143#M2887 gcusello 2024-06-09T16:09:56Z https://community.splunk.com/t5/Splunk-ITSI/Create-e-mail-alerts-for-inactive-and-unstable-entities/m-p/695500#M2909 <P>You could use a search like this to check if the entities mapped in a service are receiving events within a specified time frame, if not you could consider them unstable and alert<BR /><BR /></P><LI-CODE lang="markup">| inputlookup itsi_entities append=true | rename services._key as service_key | rename title as entity | fields entity, service_key | where isnotnull(service_key) | mvexpand service_key | inputlookup service_kpi_lookup append=true | eval key=coalesce(service_key,_key) | stats values(entity) as host, values(title) as service by key | mvexpand host | dedup host | fields host | eval host=lower(host) | join type=outer host [| metadata type=hosts index=_internal | eval host=lower(host) | eval status = if(lastTime&gt;now()-180,1,0)] | eval status=if(status=1,1,0)</LI-CODE><P>&nbsp;</P> Wed, 07 Aug 2024 05:53:19 GMT https://community.splunk.com/t5/Splunk-ITSI/Create-e-mail-alerts-for-inactive-and-unstable-entities/m-p/695500#M2909 proyleJDS 2024-08-07T05:53:19Z