Hello everybody (皆おはようございます)
I have a new request for all members 🙂
This search :
sourcetype=sccm |streamstats count current=t resetonchange=true by datewday,datemonth,datehour,dateminute,datesecond, ServiceStatus | table count, ServiceStatus,ServiceName
count ServiceStatus ServiceName
1 Found service XDSnscls
2 Found service XDSsnaptunnel
3 Found service XDSclm
4 Found service XDSsdsd
5 Found service XDSsccm
6 Found service XDSsccmms
7 Found service XDSdss
8 Found service XDSauth
This is the same pattern every time and I wish to create an alert.
For example :
Verify the list of Service_Name and if one of them isn't in the list, I have an alert.
My solution would be:
1. Create a lookup file with the services that you expect. Two columns; service_name and status. Status is a dummy field.
2. Create a search which starts with | inputlookup and join that with your search so if your search doesn't return a result you miss a field from that search. Finish the search with | search NOT certainField = *
3. Create an alert based on that search which results in all events from the lookup for which no data was found in the index.