Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to trigger an alert if http _status code =200 is not reported in logs for any host from last 15 mins ?

nilbak1
Communicator
‎12-02-2019 02:05 AM

How to trigger an alert if http _status code =200 is not reported in logs for any host from last 15 mins ?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nilbak1
Communicator
‎12-02-2019 04:18 AM

Hi @richgalloway
yes, I have been able to create the query for the alert,
I have imported lookupfile where I mentioned hosts and their count as 0 and append this with my main query and getting the desired result.
Anyways thanks for your input 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nilbak1
Communicator
‎12-02-2019 04:18 AM

Hi @richgalloway
yes, I have been able to create the query for the alert,
I have imported lookupfile where I mentioned hosts and their count as 0 and append this with my main query and getting the desired result.
Anyways thanks for your input 🙂

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-02-2019 03:47 AM

If you mean no host has reported code 200 then run a search over the last 15 minutes looking for http_status=200. Trigger an alert if the number of results is zero.
For any single host, it's more complex because Splunk will find hosts that have reported, but cannot find those which have not (you can't search for something that doesn't exist). The solution is to have a list of hosts and compare that list to the list of hosts which have reported code 200. Trigger an alert when the two lists don't match.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top