Creating an alert using the result obtained - Splunk Community

Alerting

I have this query to return the server whose event count is less than 10 during a time interval.

index=np_dss (source="DSS:DATA" OR source="DSS:DATAHUB") | stats count by host | where count<10

This query returns 2 servers N01APL100 & N01APL101 of the total 3 servers, N01APL100, N01APL101, N01APL102.

All I need is to create an alert that must include the servers returned in the response (N01APL100 & N01APL101) are low in event count.

Eg: Server/s N01APL100 & N01APL101 are low in event count.

Can someone please help?

If you append this to your search, you can alert if the result count is greater than 0 and reference the field $result.message$ in your alert text.

| stats values(host) AS host 
| eval host=mvjoin(host, " & "), message="Server/s ".host." are low in event count." 
| fields message

Superb elliotproebstel ! Thanks a ton.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...