Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Creating an alert using the result obtained

Nidheesh
Explorer
‎04-06-2018 04:10 AM

I have this query to return the server whose event count is less than 10 during a time interval.

index=np_dss (source="DSS:DATA" OR source="DSS:DATAHUB") | stats count by host | where count<10

This query returns 2 servers N01APL100 & N01APL101 of the total 3 servers, N01APL100, N01APL101, N01APL102.

All I need is to create an alert that must include the servers returned in the response (N01APL100 & N01APL101) are low in event count.

Eg: Server/s N01APL100 & N01APL101 are low in event count.

Can someone please help?

Tags (1)
0 Karma
Reply

elliotproebstel
Champion
‎04-06-2018 06:02 AM

If you append this to your search, you can alert if the result count is greater than 0 and reference the field $result.message$ in your alert text.

| stats values(host) AS host 
| eval host=mvjoin(host, " & "), message="Server/s ".host." are low in event count." 
| fields message
Reply

Nidheesh
Explorer
‎04-08-2018 09:44 PM

Superb elliotproebstel ! Thanks a ton.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...