Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: How to create a search condition in Splunk whe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to get alerts for the situations which are different from below conditions:
Server a B C D
condition ü ü X X
X X ü ü
I want to check Splunk, for the above servers, if this condition is there then it's ok- otherwise, it will alert us via email.
PS: The above condition means either a and B is UP and C and D is down or A and B is Down and C and D is UP.
If there are any other conditions like all are UP or all are DOWN or A and C are UP or many more condition then it will alert us.
But I am not able to use Splunk to set this condition, can anyone please help me with this?
I am not sure if we can use LOOKUP table to check this one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ruchijain,
I'm assuming you have a table that looks as follows :
A B C D
u u X X
u u u X
u X X X
X X u u
If that's the case then something like this will return all the events you need :
YourBaseSearch ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u)
Adding NOT will return all the events that should alert you :
YourBaseSearch NOT ( ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u) )
If you want you can share a sample event so I can help you build a search that's closer to what you will be using.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sample is right as below:
currently A and B is showing service status as status =running (sourcetype=service_stutus ---> where i am using service jboss status)
C and D are editorial servers and not running so status is stopped
I want to run the query when A and B are running and C and D are stopped or vice versa (A and B are stopped and C and D are running)
For rest of the status combination it should sent the alert
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ruchijain,
I'm assuming you have a table that looks as follows :
A B C D
u u X X
u u u X
u X X X
X X u u
If that's the case then something like this will return all the events you need :
YourBaseSearch ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u)
Adding NOT will return all the events that should alert you :
YourBaseSearch NOT ( ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u) )
If you want you can share a sample event so I can help you build a search that's closer to what you will be using.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sample is right as below:
currently A and B is showing service status as status =running (sourcetype=service_stutus ---> where i am using service jboss status)
C and D are editorial servers and not running so status is stopped
I want to run the query when A and B are running and C and D are stopped or vice versa (A and B are stopped and C and D are running)
For rest of the status combination it should sent the alert
September Community Champions: A Shoutout to Our Contributors!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
