Alerting: customized conditions, memory is above a...

Alerting

Hello,
I have the next query in an alert to check the status of 6 hosts:
index=idx_nmon_data sourcetype=Perfmon:Memory eventtype=perfmon_memory
| eval threshold=95
| where mem_used > threshold
| table _time host mem_used threshold

I would like that the alert is triggered when for two times in a row a specific server is above 95% of mem_used.

And that in the email appears the next fields: _time host mem_used threshold
I thought about two options but they dont match exactly what I want:
- Do a: stats dc(_time) as times by host (in the search) and configure alert triggered when results are >1
>>>but in this case i lose information in the email of mem_used and _time, and I would like to see them in the table of the email

          - Inside the alert, as customized condition, to write: search dc(_time) by host > 1, but it does not work

Anyone has othe ideas? or am i doing something wrong?

I would like to maintain as well this is an only one query just to avoid consume the ressources of my search head server

Thanks in advance
Jaime

Get Updates on the Splunk Community!

Alerting: customized conditions, memory is above a threshold for two times in a row for a specific server

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation