Alerting

Alert should fire with the field value not satisfying the condition.

Path Finder

HI All ,
I have a question here on formatting the result and the alert set up , can you please help me on this:
My query is :
index=servers sourcetype=xyz Message="*started"|stat count by host Message|addcoltotals
result:
host Message Count
123 Started 1
456 Started 1
2
What i want is :
host Message Count
123 Started 1
456 Started 1
789 Not started 0
Total 2
For message field we have only 2 values(started, completed)that host should list up which is not yet started and even not completed.
now after this I want to set up an alert whose condition should be :
If the total count is less than 3 it should fire an alert withe host name whose value is 0 which is 789 in this case .

Thanks in advance.

Tags (2)
0 Karma

Super Champion

The question is NOT clear, but I'm going to do a guesswork. I assume, you are saying the Message field is populated ONLY when it is "started" or "completed" but in other case it is empty?

Try something like this and let us know the output

index=servers sourcetype=xyz Message="*started"| fillnull value="UNKNOWN" Message| stats count by host Message| addcoltotals 
0 Karma

Path Finder

Hi Thanks for answering my question here .
My apologies if the question was not clear ,but you got it exactly what i mean to say there .

Now coming to the solution you gave, Its not giving the desired result . On running this query its giving the output as bellow:
host Message count
123 Started 1
456 Started 1

                         2
0 Karma

SplunkTrust
SplunkTrust

A base query of Message="started*" will not match "Not started". Try changing it to Message="*started" and see if it helps.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Legend

Splunk cannot count something which is not in the logs. So if there is no event that says "not started" - how can Splunk count it?

0 Karma