topic Re: Alert when ping UP and DOWN in Alerting

How to create an Alert when ping UP and DOWN?

jack1 — Mon, 13 Jun 2022 18:53:38 GMT

My i know how to set ping how many times fail or success , then only it will send alert?

Currently I was told tht it only ping 1 time in 5mins, then it will send out alert if DOWN. which I think 1 time ping is too short to conclude the IP is DOWN. I wanted to change it to 5 times ping , if 100% only consider IP is DOWN. May I know how to do it ?

Re: Alert when ping UP and DOWN

ITWhisperer — Sun, 12 Jun 2022 10:41:49 GMT

Start with a search which finds when you have at least 5 consecutive down flags

| streamstats count reset_on_change=true by flag | where flag="DOWN" AND count>=5

Re: Alert when ping UP and DOWN

jack1 — Sun, 12 Jun 2022 12:43:45 GMT

Hi,

I dont understand. you mean add this 2 cmd after existing one? or how shld it be?

Re: Alert when ping UP and DOWN

jack1 — Sun, 12 Jun 2022 12:48:18 GMT

Is it like this?

Re: Alert when ping UP and DOWN

ITWhisperer — Sun, 12 Jun 2022 14:20:13 GMT

Start with

index=ping | eval flag=if(packet_loss=100,"DOWN","UP") | streamstats count reset+on_change=true by flag | where count >= 5 AND flag="DOWN"

Re: Alert when ping UP and DOWN

jack1 — Thu, 16 Jun 2022 11:41:26 GMT

Sorry i nvr do splunk before. where do i start copy the line frm current alert settings? so tht I will know which branch is DOWN , at wht date/time, with the comments as well.something like below. All info is frm the lookup file.

WAN Site: Palo Alto US Cct:11654483

16 Jun 2022 17:04:40 - WAN UP

May I knw how to link this to the lookup file? It has all the IP and branch name, location, cct id, etc.

Currently the ping is set to 5 (original is 1), interval=300s but thereafter only received UP but no DOWN alert

May i also knw how shld the time range and cron expression be configured for every 300s(5 ping)?