Alerting
Highlighted

Alert should fire with the field value not satisfying the condition.

Path Finder

HI All ,
I have a question here on formatting the result and the alert set up , can you please help me on this:
My query is :
index=servers sourcetype=xyz Message="*started"|stat count by host Message|addcoltotals
result:
host Message Count
123 Started 1
456 Started 1
2
What i want is :
host Message Count
123 Started 1
456 Started 1
789 Not started 0
Total 2
For message field we have only 2 values(started, completed)that host should list up which is not yet started and even not completed.
now after this I want to set up an alert whose condition should be :
If the total count is less than 3 it should fire an alert withe host name whose value is 0 which is 789 in this case .

Thanks in advance.

Tags (2)
0 Karma
Highlighted

Re: Alert should fire with the field value not satisfying the condition.

SplunkTrust
SplunkTrust

A base query of Message="started*" will not match "Not started". Try changing it to Message="*started" and see if it helps.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Alert should fire with the field value not satisfying the condition.

Legend

Splunk cannot count something which is not in the logs. So if there is no event that says "not started" - how can Splunk count it?

0 Karma
Highlighted

Re: Alert should fire with the field value not satisfying the condition.

Super Champion

The question is NOT clear, but I'm going to do a guesswork. I assume, you are saying the Message field is populated ONLY when it is "started" or "completed" but in other case it is empty?

Try something like this and let us know the output

index=servers sourcetype=xyz Message="*started"| fillnull value="UNKNOWN" Message| stats count by host Message| addcoltotals 
0 Karma
Highlighted

Re: Alert should fire with the field value not satisfying the condition.

Path Finder

Hi Thanks for answering my question here .
My apologies if the question was not clear ,but you got it exactly what i mean to say there .

Now coming to the solution you gave, Its not giving the desired result . On running this query its giving the output as bellow:
host Message count
123 Started 1
456 Started 1

                         2
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.