https://community.splunk.com/t5/Splunk-Search/How-to-create-a-Splunk-alert-to-trigger-when-Tomcat-is-down/m-p/266110#M80018 <P>Hi,</P> <P>We have scenario to create an alert for tomcat to trigger an alert when tomcat is down.</P> <P>Based on our tomcat logs, it gives PID for every 30secs when ever it is up.<BR /> If it is down it wont trigger any event for that 30 sec interval.</P> <P>We need to set up an alert to trigger by host ,if any of the host has not have an entry for 30secs period.</P> <P>Below is basic search for it:</P> <PRE><CODE> index=index1 source=ps host=host1* OR host=host2* apache-tomcat|table host pid _time </CODE></PRE> Tue, 19 Jul 2016 22:32:22 GMT splunker9999 2016-07-19T22:32:22Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-Splunk-alert-to-trigger-when-Tomcat-is-down/m-p/266110#M80018 <P>Hi,</P> <P>We have scenario to create an alert for tomcat to trigger an alert when tomcat is down.</P> <P>Based on our tomcat logs, it gives PID for every 30secs when ever it is up.<BR /> If it is down it wont trigger any event for that 30 sec interval.</P> <P>We need to set up an alert to trigger by host ,if any of the host has not have an entry for 30secs period.</P> <P>Below is basic search for it:</P> <PRE><CODE> index=index1 source=ps host=host1* OR host=host2* apache-tomcat|table host pid _time </CODE></PRE> Tue, 19 Jul 2016 22:32:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-Splunk-alert-to-trigger-when-Tomcat-is-down/m-p/266110#M80018 splunker9999 2016-07-19T22:32:22Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-Splunk-alert-to-trigger-when-Tomcat-is-down/m-p/266111#M80019 <P>Find hosts down for 5 minutes:</P> <PRE><CODE>index=index1 source=ps host=host1* OR host=host2* apache-tomcat | stats latest(_time) as latest by host | eval age=now()-latest | where age&gt;300 </CODE></PRE> Tue, 19 Jul 2016 22:39:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-Splunk-alert-to-trigger-when-Tomcat-is-down/m-p/266111#M80019 twinspop 2016-07-19T22:39:27Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-Splunk-alert-to-trigger-when-Tomcat-is-down/m-p/266112#M80020 <P>Hi, This would works when host is down.</P> <P>Here we are checking for pid in the events: We will get events for every 30secs when ever Tomcat is up and running.</P> <P>When ever server is down, it wont trigger any events to splunk<BR /> Ex:<BR /> If Tomcat is stopped around 3.47.30.000, we wont get any events from 3.47.30.000 to until it is up.</P> <P>So we need to customise our search , in such away that if search find no events from any particular host ..we need to give status as down. By default when ever search returns events which have pid, then status should be up.</P> <P>If we have search query for this , we can give condition like|where status=down</P> <P>Thanks</P> Tue, 19 Jul 2016 22:50:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-Splunk-alert-to-trigger-when-Tomcat-is-down/m-p/266112#M80020 splunker9999 2016-07-19T22:50:34Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-Splunk-alert-to-trigger-when-Tomcat-is-down/m-p/266113#M80021 <P>Change the stats command to include pid: <CODE>... as latest by host pid</CODE> ?</P> Wed, 20 Jul 2016 00:48:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-Splunk-alert-to-trigger-when-Tomcat-is-down/m-p/266113#M80021 twinspop 2016-07-20T00:48:04Z