Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert UP and Down By Status Code

bernanda
Explorer
‎02-01-2021 07:46 PM

Hi Splunk,

Newbie here 😅 want to ask about alert.

for example we have data like

NameTimeStatusCode
AAA2021-02-02 08:00404
AAA2021-02-02 08:01200
BBB2021-02-02 09:00503
CCC2021-02-02 09:01404
BBB2021-02-02 09:30200
CCC2021-02-02 09:30200


How to create a alert base on table with cron every per 5 minutes. if StatusCode != 200 alert notif startdown and if StatusCode =200 alert notif Solved.

 

Example for the alert base on table:

"Hi AAA, you are down on 2021-02-02 08:00"

and email again if the AAA StatusCode changed to 200

"Hi AAA, you are now SOLVED on 2021-02-02 08:01"

done, until the StatusCode Changed to !=200 the alert send me the email again.

 

Another Example:

"Hi BBB, you are down on 2021-02-02 09:00"

then the StatusCode Changed to 200

"Hi BBB, you are now SOLVED on 2021-02-02 09:30"

 

On the splunk alert menu, we didn't find  for reset alert when trigger condition is no longer true. So we need a help and advice.

 

Thank you  

Labels (1)
Labels
0 Karma
Reply

manjunathmeti
Champion
‎02-02-2021 01:09 AM

hi @bernanda ,
You can create a new field in your search and use it in the email subject/body.

 

<your_base_search> | eval message=if(Status_Code==200, "Hi ".Name.", you are now SOLVED on ".Time, "Hi ".Name.", you are down on ".Time)

 

You can use $result.message$ in the email subject/message body. 

Screenshot 2021-02-02 at 2.32.34 PM.png

Change Trigger condition to trigger alert action per result. 

Screenshot 2021-02-02 at 2.33.00 PM.png

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Reply

bernanda
Explorer
‎02-02-2021 02:01 AM

Hi manjunathmeti

Thank you for your reply.

When I tried like your way, I got many alerts for the all Status with the correct message. ‌‌ That is funny to empty my inbox. but it's OK 😂

I think that is need a little conditions, just like a monitoring Uptime. If node get DOWN status then send me the a alert once. and then if the node get UP status send me the alert just once. But I still try to hard.

so, thanks for you

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...