Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a Splunk search command that raises an alert when a host's count is high compared to other hosts?

bishtk
Communicator
‎09-04-2018 08:48 AM

Dear All,

I need help raising an alert that would return which host has a higher count than the others. Below is the output of my search query. Please suggest the comparison or suitable command to this issue.

host count
ABC 1349
DEF 1598
GHI 1123
KLM 1150
NOP 1329

0 Karma
Reply

adonio
Ultra Champion
‎09-04-2018 02:15 PM

hello there, hope i understand your requirement
try this:

| tstats count as event_count where index=* by host
| sort 1 -event_count

change the number after sort to show how many hosts with the most events will appear in your results

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎09-04-2018 03:39 PM

What about | top 1 instead of sort?

Sort has a 10k limit by default.

0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎09-04-2018 09:43 AM

Hi @kundanbisht,

Thank you for posting your search outputs above. But would you mind posting the search that you tried, even though it didn't work? Generally, our community is more inclined to help out if they have more to go on.

Happy Splunking!

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...