i currently have an existing alert that notifies if the servers are down.
Say i have two columns: server_name and event_status.
event_status=60002 indicates if the servers are down.
event_status=60001 indicates if the servers are up
Please note that there are other values for event_status, but we are only focused on these two.
Existing alert for server down:
(base search) server_name=dfw* "EventCode=60002" earliest=-1h@h | dedup server_name | table server_name
//this is scheduled to run every 5 minutes and triggers once if there is any result
i would now want to have another alert that indicates if the servers are back to EventCode=60001 (from 60002)
Can you please help me?
Hi,
You can do something like below,
(base search) server_name=dfw* earliest=-1h@h | search EventCode="60001" OR EventCode="60002" | transaction server_name| eval EventCode = mvdedup(EventCode)
| eval back_to_normal = if(mvfind(EventCode,"60001") >=0 AND mvfind(EventCode,"60002") >=0,"true","false")
| where back_to_normal = "true"
Sid
Hello, the query produced results or "alerted" when the servers went down.. They alerted almost the same time. I think it is because the query showed results with 60001 to 60002...
We would like to have a result only seeing 60002 and back to 60001. Is it possible to modify this query a little? Thanks
can you try something like this below,
(base search) server_name=dfw* earliest=-1h@h | search EventCode="60001" OR EventCode="60002" | transaction server_name| eval EventCode = mvdedup(EventCode)
| eval back_to_normal = if(mvfind(EventCode,"60001") > mvfind(EventCode,"60002") >=0,"true","false")
| where back_to_normal = "true"
Sid
the eval expression is malformed. not sure if it's because of having two greater thans.
ohh yes I forgot to remove the >=0 here is the correct code,
(base search) server_name=dfw* earliest=-1h@h | search EventCode="60001" OR EventCode="60002" | transaction server_name| eval EventCode = mvdedup(EventCode)
| eval back_to_normal = if(mvfind(EventCode,"60001") > mvfind(EventCode,"60002") ,"true","false")
| where back_to_normal = "true"