Archive2
Highlighted

Alerting: customized conditions, memory is above a threshold for two times in a row for a specific server

Explorer

Hello,
I have the next query in an alert to check the status of 6 hosts:
index=idxnmondata sourcetype=Perfmon:Memory eventtype=perfmonmemory
| eval threshold=95
| where mem
used > threshold
| table time host memused threshold

I would like that the alert is triggered when for two times in a row a specific server is above 95% of mem_used.

And that in the email appears the next fields: time host memused threshold
I thought about two options but they dont match exactly what I want:
- Do a: stats dc(time) as times by host (in the search) and configure alert triggered when results are >1
>>>but in this case i lose information in the email of mem
used and _time, and I would like to see them in the table of the email

          - Inside the alert, as customized condition, to write: search dc(_time) by host > 1, but it does not work

Anyone has othe ideas? or am i doing something wrong?

I would like to maintain as well this is an only one query just to avoid consume the ressources of my search head server

Thanks in advance
Jaime

0 Karma
Reply
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.