https://community.splunk.com/t5/Splunk-Search/How-to-alert-host-stop-on-failover-paired-hosts/m-p/587890#M204740 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233940">@vl951f</a>,</P><P>if you could add a column in the lookup containing an ID for each pair, you could use it for the check.</P><P>In other words, if the the new column is called pair_ID, you could run something like this:</P><LI-CODE lang="markup">index=summary search_name=feed_status | lookup paired_host.csv Host_primary AS Host_name OUTPUT Host_secondary pair_ID | lookup paired_host.csv Host_secondary AS Host_name OUTPUT Host_primary pair_ID | stats dc(Host_name) AS dc_Host_name values(Host_primary) AS Host_Primary values(Host_secondary) AS Host_secondary BY pair_ID | where dc_Host_name =2</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Mon, 07 Mar 2022 16:27:08 GMT gcusello 2022-03-07T16:27:08Z https://community.splunk.com/t5/Splunk-Search/How-to-alert-host-stop-on-failover-paired-hosts/m-p/587871#M204735 <P>I have host stop event logged in a summary index</P><P>Index=summary search_name=feed_status</P><TABLE><TBODY><TR><TD width="90"><P>Host_name</P></TD><TD width="96"><P>Host_status</P></TD></TR><TR><TD width="90"><P>Host1a</P></TD><TD width="96"><P>Host_stop</P></TD></TR><TR><TD width="90"><P>Host2b</P></TD><TD width="96"><P>Host_stop</P></TD></TR><TR><TD width="90"><P>Host4a</P></TD><TD width="96"><P>Host_stop</P></TD></TR><TR><TD width="90"><P>Host1b</P></TD><TD width="96"><P>Host_stop</P></TD></TR><TR><TD width="90"><P>Host3a</P></TD><TD width="96"><P>Host_stop</P></TD></TR></TBODY></TABLE><P>I also have a lookup table for failover paired hosts.</P><TABLE><TBODY><TR><TD width="96"><P>Host_primary</P></TD><TD width="110"><P>Host_secondary</P></TD></TR><TR><TD width="96"><P>Host1a</P></TD><TD width="110"><P>Host1b</P></TD></TR><TR><TD width="96"><P>Host2a</P></TD><TD width="110"><P>Host2b</P></TD></TR><TR><TD width="96"><P>Host3a</P></TD><TD width="110"><P>Host3b</P></TD></TR><TR><TD width="96"><P>Host4a</P></TD><TD width="110"><P>Host4b</P></TD></TR></TBODY></TABLE><P>I need to generate the host stop alert when both failover paired hosts are stopped.</P><P>In this case alerting on Host1a and Host1b stopped.</P> Mon, 07 Mar 2022 15:16:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-alert-host-stop-on-failover-paired-hosts/m-p/587871#M204735 vl951f 2022-03-07T15:16:02Z https://community.splunk.com/t5/Splunk-Search/How-to-alert-host-stop-on-failover-paired-hosts/m-p/587890#M204740 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233940">@vl951f</a>,</P><P>if you could add a column in the lookup containing an ID for each pair, you could use it for the check.</P><P>In other words, if the the new column is called pair_ID, you could run something like this:</P><LI-CODE lang="markup">index=summary search_name=feed_status | lookup paired_host.csv Host_primary AS Host_name OUTPUT Host_secondary pair_ID | lookup paired_host.csv Host_secondary AS Host_name OUTPUT Host_primary pair_ID | stats dc(Host_name) AS dc_Host_name values(Host_primary) AS Host_Primary values(Host_secondary) AS Host_secondary BY pair_ID | where dc_Host_name =2</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Mon, 07 Mar 2022 16:27:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-alert-host-stop-on-failover-paired-hosts/m-p/587890#M204740 gcusello 2022-03-07T16:27:08Z https://community.splunk.com/t5/Splunk-Search/How-to-alert-host-stop-on-failover-paired-hosts/m-p/587910#M204745 <P>Hi, Giuseppe:</P><P>I added the column pair_ID, ad give it an unique number for each paired host. But "dc_Host_name" is always "1" after run the search.</P><P>Thanks</P> Mon, 07 Mar 2022 19:00:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-alert-host-stop-on-failover-paired-hosts/m-p/587910#M204745 vl951f 2022-03-07T19:00:35Z https://community.splunk.com/t5/Splunk-Search/How-to-alert-host-stop-on-failover-paired-hosts/m-p/587920#M204751 <P>It looks like one of the pair_ID is NULL from 2 lookup OUTPUT:</P><P>| lookup paired_host.csv Host_primary AS Host_name OUTPUT Host_secondary pair_ID<BR />| lookup paired_host.csv Host_secondary AS Host_name OUTPUT Host_primary pair_ID</P> Mon, 07 Mar 2022 22:46:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-alert-host-stop-on-failover-paired-hosts/m-p/587920#M204751 vl951f 2022-03-07T22:46:15Z https://community.splunk.com/t5/Splunk-Search/How-to-alert-host-stop-on-failover-paired-hosts/m-p/587927#M204755 <P>Hi, Giuseppe</P><P>I changed OUTPUT to OUTPUTNEW. It works.</P><P>index=summary search_name=feed_status<BR />| lookup paired_host.csv Host_primary AS Host_name OUTPUTNEW Host_secondary as hostname2 pair_ID as pairid<BR />| lookup paired_host.csv Host_secondary AS Host_name OUTPUTNEW Host_primary as hostname1 pair_ID as pairid<BR />| stats dc(Host_name) AS hcount values(hostname1) AS Host_Primary values(hostname2) AS Host_secondary BY pairid<BR />| where hcount =2</P><P>&nbsp;</P><P>Thanks a lot for your help.</P> Tue, 08 Mar 2022 00:49:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-alert-host-stop-on-failover-paired-hosts/m-p/587927#M204755 vl951f 2022-03-08T00:49:17Z https://community.splunk.com/t5/Splunk-Search/How-to-alert-host-stop-on-failover-paired-hosts/m-p/587957#M204764 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233940">@vl951f</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 08 Mar 2022 08:03:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-alert-host-stop-on-failover-paired-hosts/m-p/587957#M204764 gcusello 2022-03-08T08:03:07Z