Alerting
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Alerts: Getting Multiple Values into Alert
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vinodmadaan
Path Finder
09-10-2015
08:45 AM
Hi Guys,
I am not sure if this has been asked before (as I couldn't find anything on this issue).
I am working on a issue in which I have to create an alert for the thread count from 6 different servers, they come in as different log entries into splunk. So what I am looking for is a way to get these 6 values into the alert and trigger if any of these 6 crosses the threshold (one of the possible solution is creating 6 alerts and keeping track of each server separately, but I am looking for a way to get this done through one Alert only).
Is it possible?
Thanks in advance!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rechteklebe
Path Finder
09-10-2015
09:41 AM
Index=$yourindex host=host1 OR host=host2 OR host=host3 OR host=host4 OR host=host5 OR host=host6 $everythingelsetofindthethreaddata | stats max(Threads) as "maxthreads" by host | search "maxthreads"> $threshold
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rechteklebe
Path Finder
09-10-2015
09:41 AM
Index=$yourindex host=host1 OR host=host2 OR host=host3 OR host=host4 OR host=host5 OR host=host6 $everythingelsetofindthethreaddata | stats max(Threads) as "maxthreads" by host | search "maxthreads"> $threshold
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vinodmadaan
Path Finder
09-28-2015
04:19 AM
it worked as needed, thanks 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-10-2015
09:24 AM
Do the Threadcount from these 6 servers (assuming they are forwarders) go to central indexer(s)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vinodmadaan
Path Finder
09-11-2015
12:28 AM
yes they go to a central indexer.
Get Updates on the Splunk Community!
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
