topic Re: Ping Alert when up in Alerting

Ping Alert when up

davidirvine — Wed, 30 Sep 2020 00:53:12 GMT

Hi,

I currently have a Ping Alert which is notifies me when there is 100% packet loss for a host/device.
The search for the Ping is currently
sourcetype="ping_input" packet_loss = 100
| table dest, packet_loss

I now want to create an alert which tell me when the host/device is back up packet loss = 0%
I am think I need to do a compare of the two results, but unsure on how to start this one?
Reaching out for some assistance.

thanks

Re: Ping Alert when up

Shan — Wed, 30 Sep 2020 00:53:15 GMT

@davidirvine,

I believe below query may or mayn't help you. Can you elaborate in detail manner what exactly your requirement.

sourcetype="ping_input" back_up_packet_loss = 0%
| table dest, packet_loss

Thanks ..

Re: Ping Alert when up

davidirvine — Mon, 17 Jun 2019 23:44:42 GMT

Hi I think I'm after something like a Set-Diff actually as I want to compare the two results.
So when the first part of the search show 100% packet loss and the second part does not it will alert me.
Potentially something like this article https://answers.splunk.com/answers/151315/how-to-find-differences-between-two-searches-with-set-diff-command.html

Re: Ping Alert when up

skalliger — Tue, 18 Jun 2019 07:32:50 GMT

If the data is not that much, you could easily do just a | transaction _time, packet_loss src_ip startswith=packet_loss=100 endswith=packet_loss=0.
(Or use stats with first() and last() occurence. See the docs page for an example.)

Skalli

Re: Ping Alert when up

VatsalJagani — Tue, 18 Jun 2019 11:46:02 GMT

Hi @davidirvine - Could you please elaborate comparison? What kind of comparison you are looking for? As don't think so |set diff will work in your case.