Solved: Alerts: Getting Multiple Values into Alert

vinodmadaan · ‎09-10-2015

Hi Guys,

I am not sure if this has been asked before (as I couldn't find anything on this issue).

I am working on a issue in which I have to create an alert for the thread count from 6 different servers, they come in as different log entries into splunk. So what I am looking for is a way to get these 6 values into the alert and trigger if any of these 6 crosses the threshold (one of the possible solution is creating 6 alerts and keeping track of each server separately, but I am looking for a way to get this done through one Alert only).

Is it possible?

Thanks in advance!

rechteklebe · ‎09-10-2015

Index=$yourindex host=host1 OR host=host2 OR host=host3 OR host=host4 OR host=host5 OR host=host6 $everythingelsetofindthethreaddata | stats max(Threads) as "maxthreads" by host | search "maxthreads"> $threshold

View solution in original post

rechteklebe · ‎09-10-2015

Index=$yourindex host=host1 OR host=host2 OR host=host3 OR host=host4 OR host=host5 OR host=host6 $everythingelsetofindthethreaddata | stats max(Threads) as "maxthreads" by host | search "maxthreads"> $threshold

vinodmadaan · ‎09-28-2015

it worked as needed, thanks 🙂

somesoni2 · ‎09-10-2015

Do the Threadcount from these 6 servers (assuming they are forwarders) go to central indexer(s)?

vinodmadaan · ‎09-11-2015

yes they go to a central indexer.

Alerts: Getting Multiple Values into Alert

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation