Re: How to see if two different hosts have failure...

riotto · ‎07-25-2016

I need to return a "yes"
if (host=A has events > 0 and host=B has events > 0)
else '"no"

riotto · ‎07-26-2016

sundareshr,

Won't that search give either host=A or host=B (...or maybe both) ? I need to return a "yes' when I have failure record from BOTH host=A and host=B

sundareshr · ‎07-25-2016

Try this

index=yourindex host=A OR host=B "failure" | stats count | eval result=if(count>0, "Yes", "No")

riotto · ‎07-26-2016

Won't that return a "yes" if either host A or host B returns an event?
I need when both host a and host b return an event

sundareshr · ‎07-26-2016

Ah!!! Try this

index=yourindex host=A OR host=B "failure" | stats dc(host) as hosts | eval result=if(hosts=2, "Yes", "No")

riotto · ‎07-26-2016

Yes I believe that will do it, you da man...Is there a way to pass the value of 'result' to a windows batchfile
that will be triggered to run when this alert runs?

How to see if two different hosts have failure event records?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation