Alerting

Alert should fire with the field value not satisfying the condition.

AdixitSplunk
Path Finder

HI All ,
I have a question here on formatting the result and the alert set up , can you please help me on this:
My query is :
index=servers sourcetype=xyz Message="*started"|stat count by host Message|addcoltotals
result:
host Message Count
123 Started 1
456 Started 1
2
What i want is :
host Message Count
123 Started 1
456 Started 1
789 Not started 0
Total 2
For message field we have only 2 values(started, completed)that host should list up which is not yet started and even not completed.
now after this I want to set up an alert whose condition should be :
If the total count is less than 3 it should fire an alert withe host name whose value is 0 which is 789 in this case .

Thanks in advance.

Tags (2)
0 Karma

koshyk
Super Champion

The question is NOT clear, but I'm going to do a guesswork. I assume, you are saying the Message field is populated ONLY when it is "started" or "completed" but in other case it is empty?

Try something like this and let us know the output

index=servers sourcetype=xyz Message="*started"| fillnull value="UNKNOWN" Message| stats count by host Message| addcoltotals 
0 Karma

AdixitSplunk
Path Finder

Hi Thanks for answering my question here .
My apologies if the question was not clear ,but you got it exactly what i mean to say there .

Now coming to the solution you gave, Its not giving the desired result . On running this query its giving the output as bellow:
host Message count
123 Started 1
456 Started 1

                         2
0 Karma

richgalloway
SplunkTrust
SplunkTrust

A base query of Message="started*" will not match "Not started". Try changing it to Message="*started" and see if it helps.

---
If this reply helps you, Karma would be appreciated.
0 Karma

lguinn2
Legend

Splunk cannot count something which is not in the logs. So if there is no event that says "not started" - how can Splunk count it?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...