Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to trigger an alert if http _status code =200 is not reported in logs for any host from last 15 mins ?

nilbak1
Communicator
‎12-02-2019 02:05 AM

How to trigger an alert if http _status code =200 is not reported in logs for any host from last 15 mins ?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nilbak1
Communicator
‎12-02-2019 04:18 AM

Hi @richgalloway
yes, I have been able to create the query for the alert,
I have imported lookupfile where I mentioned hosts and their count as 0 and append this with my main query and getting the desired result.
Anyways thanks for your input 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nilbak1
Communicator
‎12-02-2019 04:18 AM

Hi @richgalloway
yes, I have been able to create the query for the alert,
I have imported lookupfile where I mentioned hosts and their count as 0 and append this with my main query and getting the desired result.
Anyways thanks for your input 🙂

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-02-2019 03:47 AM

If you mean no host has reported code 200 then run a search over the last 15 minutes looking for http_status=200. Trigger an alert if the number of results is zero.
For any single host, it's more complex because Splunk will find hosts that have reported, but cannot find those which have not (you can't search for something that doesn't exist). The solution is to have a list of hosts and compare that list to the list of hosts which have reported code 200. Trigger an alert when the two lists don't match.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top