Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert should fire with the field value not satisfying the condition.

AdixitSplunk
Path Finder
‎02-23-2017 02:02 AM

HI All ,
I have a question here on formatting the result and the alert set up , can you please help me on this:
My query is :
index=servers sourcetype=xyz Message="*started"|stat count by host Message|addcoltotals
result:
host Message Count
123 Started 1
456 Started 1
2
What i want is :
host Message Count
123 Started 1
456 Started 1
789 Not started 0
Total 2
For message field we have only 2 values(started, completed)that host should list up which is not yet started and even not completed.
now after this I want to set up an alert whose condition should be :
If the total count is less than 3 it should fire an alert withe host name whose value is 0 which is 789 in this case .

Thanks in advance.

Tags (2)
0 Karma
Reply

koshyk
Super Champion
‎02-26-2017 11:42 AM

The question is NOT clear, but I'm going to do a guesswork. I assume, you are saying the Message field is populated ONLY when it is "started" or "completed" but in other case it is empty?

Try something like this and let us know the output

index=servers sourcetype=xyz Message="*started"| fillnull value="UNKNOWN" Message| stats count by host Message| addcoltotals
0 Karma
Reply

AdixitSplunk
Path Finder
‎02-26-2017 10:42 PM

Hi Thanks for answering my question here .
My apologies if the question was not clear ,but you got it exactly what i mean to say there .

Now coming to the solution you gave, Its not giving the desired result . On running this query its giving the output as bellow:
host Message count
123 Started 1
456 Started 1

                         2
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-23-2017 06:54 AM

A base query of Message="started*" will not match "Not started". Try changing it to Message="*started" and see if it helps.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lguinn2
Legend
‎02-25-2017 02:31 PM

Splunk cannot count something which is not in the logs. So if there is no event that says "not started" - how can Splunk count it?

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...