Alerting
Highlighted

Alerts check neighbor sites. if same location one host is 2 host are down trigger

Path Finder

Hello Splunkers,

I have following uniq fields in search results radioid, radiostatus, region

I need to write alerts to like this Action:
1.) If only one radio status changed to “down” within the same geographic area.
Open Ticket with severity “Major” and proceed with Troubleshooting.
2.) If two or more radio status changed to “down” within the same geographic area.
Open Ticket with severity “Critical” and proceed with Troubleshooting.

any help will be much appreciated .

Tags (1)
0 Karma
Highlighted

Re: Alerts check neighbor sites. if same location one host is 2 host are down trigger

Super Champion

Sample data would have been great. Also it is important, you scan for a specific period of time

Assuming, below is a sample set of data and you look for 1 hour time span

radioid=101 radiostatus=down region=Europe
radioid=102 radiostatus=up region=Europe
radioid=103 radiostatus=down region=Europe
radioid=104 radiostatus=down region=America

Sample test search

|makeresults
|eval raw_data="radioid=101 radiostatus=down region=Europe; radioid=102 radiostatus=up region=Europe; radioid=103 radiostatus=down region=Europe; radioid=104 radiostatus=down region=America"
| makemv  delim=";" raw_data
| mvexpand raw_data| rename raw_data as _raw
| extract pairdelim="\n" kvdelim="="
| search radiostatus=down
| stats count(radiostatus) as radiostatus_down_count by region
| eval severity=if(radiostatus_down_count>1,"Critical","Major")

cheers

0 Karma
Highlighted

Re: Alerts check neighbor sites. if same location one host is 2 host are down trigger

Path Finder

Thank you for quick help,
But i have more then 1000 radios devices all im doing is check status of field results and trying to work

0 Karma
Highlighted

Re: Alerts check neighbor sites. if same location one host is 2 host are down trigger

Super Champion

if you post sample data, we can write the query.
the above core logic will work for millions of events. I've just provided a sample

0 Karma