Re: How to see if two different hosts have failure...

riotto · ‎07-25-2016

I need to return a "yes"
if (host=A has events > 0 and host=B has events > 0)
else '"no"

riotto · ‎07-26-2016

sundareshr,

Won't that search give either host=A or host=B (...or maybe both) ? I need to return a "yes' when I have failure record from BOTH host=A and host=B

sundareshr · ‎07-25-2016

Try this

index=yourindex host=A OR host=B "failure" | stats count | eval result=if(count>0, "Yes", "No")

riotto · ‎07-26-2016

Won't that return a "yes" if either host A or host B returns an event?
I need when both host a and host b return an event

sundareshr · ‎07-26-2016

Ah!!! Try this

index=yourindex host=A OR host=B "failure" | stats dc(host) as hosts | eval result=if(hosts=2, "Yes", "No")

riotto · ‎07-26-2016

Yes I believe that will do it, you da man...Is there a way to pass the value of 'result' to a windows batchfile
that will be triggered to run when this alert runs?

How to see if two different hosts have failure event records?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

How to see if two different hosts have failure event records?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine