Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to trigger an alert if http _status code =200 is not reported in logs for any host from last 15 mins ?

nilbak1
Communicator
‎12-02-2019 02:05 AM

How to trigger an alert if http _status code =200 is not reported in logs for any host from last 15 mins ?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nilbak1
Communicator
‎12-02-2019 04:18 AM

Hi @richgalloway
yes, I have been able to create the query for the alert,
I have imported lookupfile where I mentioned hosts and their count as 0 and append this with my main query and getting the desired result.
Anyways thanks for your input 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nilbak1
Communicator
‎12-02-2019 04:18 AM

Hi @richgalloway
yes, I have been able to create the query for the alert,
I have imported lookupfile where I mentioned hosts and their count as 0 and append this with my main query and getting the desired result.
Anyways thanks for your input 🙂

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-02-2019 03:47 AM

If you mean no host has reported code 200 then run a search over the last 15 minutes looking for http_status=200. Trigger an alert if the number of results is zero.
For any single host, it's more complex because Splunk will find hosts that have reported, but cannot find those which have not (you can't search for something that doesn't exist). The solution is to have a list of hosts and compare that list to the list of hosts which have reported code 200. Trigger an alert when the two lists don't match.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...
Top