Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create an alert if process is not running in linux?

stotta11
New Member
‎05-07-2020 03:14 PM

Hi -

I need to create an alert where if a process is not running in a linux server , then it should send out an alert :

Below query is giving me correct results of all the processess running in a server:

index="index-name" source=ps host="hostname*" process="*process_name*" 
| dedup host process
| join host [search index="index-name" source=ps host="hostname*" process="*process_name*" 
| stats latest(host) latest(_time) by host |eval lastSeen='latest(_time)'|fields host lastSeen]
|eval status=if(lastSeen<(_time - 300), "not running","running") 
|table host status process

Example Output :

Host : hostname
Status : running
process : process_name

But I need to send an alert if the status is not running.

Could anybody help me with it?

Labels (1)
Labels
0 Karma
Reply

shivanshu1593
Builder
‎05-08-2020 06:22 AM

Save it as an alert. That should do the trick for you, whenever your alert detects if a service isn't running.

index="index-name" source=ps host="hostname*" process="process_name"
| dedup host process
| join host [search index="index-name" source=ps host="hostname*" process="process_name"
| stats latest(host) latest(_time) by host |eval lastSeen='latest(_time)'|fields host lastSeen]
|eval status=if(lastSeen<(_time - 300), "not running","running")
|table host status process
| search status = "not running"

If it doesn't help, you can save the specific condition status = "not running" in aler settings -> Trigger Conditions -> Trigger alert when and from the drop down, select custom and define the condition there.

Hope this helps,

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-08-2020 06:12 AM

Use this search and have the alert trigger when the number of results is zero.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...