Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to alert based on a number of events for each matching server in a search?

benjamincortega
New Member
‎09-18-2015 10:05 AM

I need to create an alert based on a number of events occurring in a particular time period for multiple servers. I know how to do a search to do this for a single server, but I can't figure out if there's a way to do more than one in a single search. I don't want to have to set up individual alerts for each server (too many servers, and needs to pick new ones up automatically), and I can't have the counts need to be independent by server. So for example:

I have 100 servers that would match host=*abcd*, and I need to know if any of them have more than 3 events that match field=XXXX in a 5 minute period. It can't alert of I have three different servers that have the matching event, only if a each individual server has that count of the event.

Hopefully this makes sense.

Tags (2)
0 Karma
Reply

acharlieh
Influencer
‎09-18-2015 10:23 AM

I'm not sure if I quite understand, but I think you're looking for a search like: 

index=foo field=XXXX | stats count by host | where count > 3

We find all events that match the field, count the number for each host, keep only those hosts that have at least 3 events, and then fire the alert if this returns any results?

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...