Solved: Alerts: Getting Multiple Values into Alert

vinodmadaan · ‎09-10-2015

Hi Guys,

I am not sure if this has been asked before (as I couldn't find anything on this issue).

I am working on a issue in which I have to create an alert for the thread count from 6 different servers, they come in as different log entries into splunk. So what I am looking for is a way to get these 6 values into the alert and trigger if any of these 6 crosses the threshold (one of the possible solution is creating 6 alerts and keeping track of each server separately, but I am looking for a way to get this done through one Alert only).

Is it possible?

Thanks in advance!

rechteklebe · ‎09-10-2015

Index=$yourindex host=host1 OR host=host2 OR host=host3 OR host=host4 OR host=host5 OR host=host6 $everythingelsetofindthethreaddata | stats max(Threads) as "maxthreads" by host | search "maxthreads"> $threshold

View solution in original post

rechteklebe · ‎09-10-2015

Index=$yourindex host=host1 OR host=host2 OR host=host3 OR host=host4 OR host=host5 OR host=host6 $everythingelsetofindthethreaddata | stats max(Threads) as "maxthreads" by host | search "maxthreads"> $threshold

vinodmadaan · ‎09-28-2015

it worked as needed, thanks 🙂

somesoni2 · ‎09-10-2015

Do the Threadcount from these 6 servers (assuming they are forwarders) go to central indexer(s)?

vinodmadaan · ‎09-11-2015

yes they go to a central indexer.

Alerts: Getting Multiple Values into Alert

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Alerts: Getting Multiple Values into Alert

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey