https://community.splunk.com/t5/Alerting/Alert-when-host-not-sending-data-to-splunk/m-p/553543#M10549 <P>Use an <FONT face="courier new,courier">eval</FONT> command to add a cluster field, setting the value of the cluster based on the name of the server.&nbsp; Then do your counting by cluster rather than by server.&nbsp; Share your current search and we probably can offer more specific suggestions.</P> Fri, 28 May 2021 15:45:11 GMT richgalloway 2021-05-28T15:45:11Z https://community.splunk.com/t5/Alerting/Alert-when-host-not-sending-data-to-splunk/m-p/553537#M10548 <P>Hi,</P><P>I need to write a query which alerts if any of my host is not sending any logs to splunk in 10mins.</P><P>I'm able to get this result.</P><P>Challenge here is, I have 2 cluster servers group, if anyone one of the server is sending data then I should exclude the other server from the alert list, not able to write this logic in search.</P><P>Example:</P><P>Cluster one :&nbsp; Server 1, server 2 and server3&nbsp;</P><P>If Server 1 sends data in 10 mins, then I should remove Server 2 and server 3 from the final list.</P><P>right now it will only remove server 1 from the list and other 2 servers come in final list.</P><P>Like this I have 3 clusters, 2 servers in each cluster.</P><P>Please give some ideas on this</P><P>Thanks in Advance!</P> Fri, 28 May 2021 14:51:31 GMT https://community.splunk.com/t5/Alerting/Alert-when-host-not-sending-data-to-splunk/m-p/553537#M10548 Sangu 2021-05-28T14:51:31Z https://community.splunk.com/t5/Alerting/Alert-when-host-not-sending-data-to-splunk/m-p/553543#M10549 <P>Use an <FONT face="courier new,courier">eval</FONT> command to add a cluster field, setting the value of the cluster based on the name of the server.&nbsp; Then do your counting by cluster rather than by server.&nbsp; Share your current search and we probably can offer more specific suggestions.</P> Fri, 28 May 2021 15:45:11 GMT https://community.splunk.com/t5/Alerting/Alert-when-host-not-sending-data-to-splunk/m-p/553543#M10549 richgalloway 2021-05-28T15:45:11Z https://community.splunk.com/t5/Alerting/Alert-when-host-not-sending-data-to-splunk/m-p/553549#M10550 <P>Hi,</P><P>| metasearch index=abc sourcetype=abc<BR />| eval host=lower(host)<BR />| stats count BY host<BR />| append<BR />[ inputlookup Devices.csv<BR />| eval host=lower(Hostname+".amat.com"), count=0<BR />| fields host count ]<BR />| stats sum(count) AS total BY host | where total=0</P><P>&nbsp;</P><P>This is the query I used, lookup table has all the servers which needs to send data.&nbsp;</P><P>Another details I wanted to add is, not all servers are there in cluster, expect 3 cluster other 10 servers are there which are not part of any cluster.</P> Fri, 28 May 2021 16:55:46 GMT https://community.splunk.com/t5/Alerting/Alert-when-host-not-sending-data-to-splunk/m-p/553549#M10550 Sangu 2021-05-28T16:55:46Z https://community.splunk.com/t5/Alerting/Alert-when-host-not-sending-data-to-splunk/m-p/553551#M10551 <P>Perhaps this will help.&nbsp; The case function assigns servers to a cluster.&nbsp; Those that don't belong to a cluster use the host name as the cluster name.</P><LI-CODE lang="markup">| metasearch index=abc sourcetype=abc | eval host=lower(host) | stats count BY host | append [ inputlookup Devices.csv | eval host=lower(Hostname+".amat.com"), count=0 | fields host count ] | eval cluster=case(host="server1" OR host="server2" OR host="server3","cluster1", host="server4" OR host="server5" OR host="server6", "cluster2", 1==1, host) | stats sum(count) AS total BY cluster | where total=0</LI-CODE><P>&nbsp;</P> Fri, 28 May 2021 17:01:40 GMT https://community.splunk.com/t5/Alerting/Alert-when-host-not-sending-data-to-splunk/m-p/553551#M10551 richgalloway 2021-05-28T17:01:40Z https://community.splunk.com/t5/Alerting/Alert-when-host-not-sending-data-to-splunk/m-p/553561#M10552 <P>this worked. Thank you so much for your help!</P> Fri, 28 May 2021 17:26:54 GMT https://community.splunk.com/t5/Alerting/Alert-when-host-not-sending-data-to-splunk/m-p/553561#M10552 Sangu 2021-05-28T17:26:54Z