Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to alert based on a number of events for each matching server in a search?

benjamincortega
New Member
‎09-18-2015 10:05 AM

I need to create an alert based on a number of events occurring in a particular time period for multiple servers. I know how to do a search to do this for a single server, but I can't figure out if there's a way to do more than one in a single search. I don't want to have to set up individual alerts for each server (too many servers, and needs to pick new ones up automatically), and I can't have the counts need to be independent by server. So for example:

I have 100 servers that would match host=*abcd*, and I need to know if any of them have more than 3 events that match field=XXXX in a 5 minute period. It can't alert of I have three different servers that have the matching event, only if a each individual server has that count of the event.

Hopefully this makes sense.

Tags (2)
0 Karma
Reply

acharlieh
Influencer
‎09-18-2015 10:23 AM

I'm not sure if I quite understand, but I think you're looking for a search like: 

index=foo field=XXXX | stats count by host | where count > 3

We find all events that match the field, count the number for each host, keep only those hosts that have at least 3 events, and then fire the alert if this returns any results?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...