Creating an alert using the result obtained - Splunk Community

Alerting

I have this query to return the server whose event count is less than 10 during a time interval.

index=np_dss (source="DSS:DATA" OR source="DSS:DATAHUB") | stats count by host | where count<10

This query returns 2 servers N01APL100 & N01APL101 of the total 3 servers, N01APL100, N01APL101, N01APL102.

All I need is to create an alert that must include the servers returned in the response (N01APL100 & N01APL101) are low in event count.

Eg: Server/s N01APL100 & N01APL101 are low in event count.

Can someone please help?

If you append this to your search, you can alert if the result count is greater than 0 and reference the field $result.message$ in your alert text.

| stats values(host) AS host 
| eval host=mvjoin(host, " & "), message="Server/s ".host." are low in event count." 
| fields message

Superb elliotproebstel ! Thanks a ton.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...