Creating an alert using the result obtained - Splunk Community

Alerting

I have this query to return the server whose event count is less than 10 during a time interval.

index=np_dss (source="DSS:DATA" OR source="DSS:DATAHUB") | stats count by host | where count<10

This query returns 2 servers N01APL100 & N01APL101 of the total 3 servers, N01APL100, N01APL101, N01APL102.

All I need is to create an alert that must include the servers returned in the response (N01APL100 & N01APL101) are low in event count.

Eg: Server/s N01APL100 & N01APL101 are low in event count.

Can someone please help?

If you append this to your search, you can alert if the result count is greater than 0 and reference the field $result.message$ in your alert text.

| stats values(host) AS host 
| eval host=mvjoin(host, " & "), message="Server/s ".host." are low in event count." 
| fields message

Superb elliotproebstel ! Thanks a ton.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...