Is there a Splunk search command that raises an al...

bishtk · ‎09-04-2018

Dear All,

I need help raising an alert that would return which host has a higher count than the others. Below is the output of my search query. Please suggest the comparison or suitable command to this issue.

host count
ABC 1349
DEF 1598
GHI 1123
KLM 1150
NOP 1329

adonio · ‎09-04-2018

hello there, hope i understand your requirement
try this:

| tstats count as event_count where index=* by host
| sort 1 -event_count

change the number after sort to show how many hosts with the most events will appear in your results

jkat54 · ‎09-04-2018

What about | top 1 instead of sort?

Sort has a 10k limit by default.

mstjohn_splunk · ‎09-04-2018

Hi @kundanbisht,

Thank you for posting your search outputs above. But would you mind posting the search that you tried, even though it didn't work? Generally, our community is more inclined to help out if they have more to go on.

Happy Splunking!

Is there a Splunk search command that raises an alert when a host's count is high compared to other hosts?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation