How to ignore the duplicate count

ManojPottella · ‎02-20-2020

Hi Team,

As per below output I want to know the exact count of disconnected status of each server_name by ignoring the duplicate counts.

As we are using script from splunk to ingest the server status every 5 min, once slunk triggered an alert with server is disconnected, we are manually starting and it will take 15-20 min, in between 3/4 times script will execute and ingest the server status into splunk .

in this if count the total count if disconnected state by using stats count it will include the duplicate count as well, but we need to identify the exact count.

     Server_Name             Status
server1.example.com         disconnected
server1.example.com         disconnected
server1.example.com         connected
server1.example.com         connected
server1.example.com         connected
server1.example.com         disconnected
server1.example.com         disconnected
server1.example.com         connected
server1.example.com         connected
server1.example.com         connected
server2.example.com         disconnected
server2.example.com         disconnected
server2.example.com         disconnected
server2.example.com         disconnected
server2.example.com         disconnected
server2.example.com         connected
server2.example.com         connected
server2.example.com         disconnected
server2.example.com         disconnected
server2.example.com         connected
server3.example.com         connected
server3.example.com         disconnected
server3.example.com         disconnected
server3.example.com         disconnected
server3.example.com         connected
server3.example.com         disconnected
server3.example.com         disconnected
server3.example.com         disconnected
server3.example.com         connected
server3.example.com         connected
server3.example.com         disconnected

server3.example.com disconnected
server3.example.com disconnected
server3.example.com connected

as per above result we are expecting disconnected count of each server is

server1.example.com - disconnected - count=2
server2.example.com - disconnected - count=2
server3.example.com - disconnected - count=3

any logic , please suggest ...

richgalloway · ‎02-20-2020

Ignoring events that have already been alerted is a built-in feature of Splunk. Use the 'throttling' settings in your alert. Tell it to throttle alerts for 15 minutes based on the Server_Name field.

---
If this reply helps you, Karma would be appreciated.

How to ignore the duplicate count

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!