Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Linux monitor process state through process ID

JIrojas
Explorer
‎05-11-2021 01:07 PM

I have been trying to create an alert that triggers whenever the process ID of a process on linux is null. Because it is not sending data, I assume the process is not running, and if it has a process ID, it is running.

Working with telegraf:

| mstats latest(_value) AS value WHERE metric_name="procstat.pid" AND index="telegraf" AND process_name="<process_name>"  fillnull_value=0 span=5m BY host, process_name
| timechart latest(value) span=5m BY host
| fillnull <hostnames> value=0 | table _time,<hostnames>

Using the zero null values formatting, I can pinpoint exactly when the processes are on downtime. However, I couldn't find a way to alert when the host PID value is null (or =0 due to the fillnull function).

Thanks!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-11-2021 02:15 PM

Adding | where host=0 to the end of the query will filter the results to only those that are null/0.  Then have the alert trigger if you get any results.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

JIrojas
Explorer
‎05-12-2021 05:58 AM

The problem I face now is I only want to table the values that are = 0 to show it in the alert description notificacion, for example, when I send an email the moment the alert triggers:

| mstats latest(_value) AS value WHERE metric_name="procstat.pid" AND index="telegraf" AND process_name="PSBRKDSP" span=5m BY host, process_name
| timechart latest(value) span=5m BY host
| fillnull host1,host2,host3,host4 value=0
| where host1=0 OR host2=0 OR host3=0 OR host4=0
| table _time,host1,host2,host3,host4

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-12-2021 01:39 PM

I don't know a way to show only the fields that are zero.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-11-2021 02:15 PM

Adding | where host=0 to the end of the query will filter the results to only those that are null/0.  Then have the alert trigger if you get any results.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...