Hi all,
i have below query
index=advcf request=* host=abgc host=efgh host=jhty host=hjyu host=kjnbh
here i want the email alert to trigger when data is not coming from any one of the hosts.
and i want to see that host name in a table format in the mail.
how can i do that????
Just append some dummy records for each host and assign an event count of 0 to it. Instead of count, use sum to add up the results.
index=advcf request=* host IN(abgc, efgh, jhty, hjyu,kjnb)
| eval event_ct=1
| append [| makeresults
| eval host="abgc, efgh, jhty, hjyu, kjnb"
| rex field=host mode=sed "s/\s+//g"
| eval host=split(host,",")
| mvexpand host
| eval event_ct=0
]
| stats sum(event_ct) AS event_ct BY host
| where event_ct=0
Finding something that is not there is not Splunk's strong suit. See this blog entry for a good write-up on it.
https://www.duanewaddle.com/proving-a-negative/
@richgalloway , thank for the info, as per the link provided without lookup file we cannot see the host data with 0 count. i got it.
but now my requirement is how can i create an alert when no data coming from any one of the hosts.
i created a below query for that, please let me know if this is correct
index=advcf request=* host IN(abgc, efgh, jhty, hjyu,kjnb)
|stats count
|where count=0
That query will trigger an alert only if there are no results from all hosts.
but i want the alert to be triggered when data is not coming from 1 host as well...
Just append some dummy records for each host and assign an event count of 0 to it. Instead of count, use sum to add up the results.
index=advcf request=* host IN(abgc, efgh, jhty, hjyu,kjnb)
| eval event_ct=1
| append [| makeresults
| eval host="abgc, efgh, jhty, hjyu, kjnb"
| rex field=host mode=sed "s/\s+//g"
| eval host=split(host,",")
| mvexpand host
| eval event_ct=0
]
| stats sum(event_ct) AS event_ct BY host
| where event_ct=0
I tried to use the below query but getting below error:
Error in 'search operator:rex': usage:regex[field=<field>]<regex>
Please share the query that produced the error message. Is that the complete error text? It appears to be incomplete and incorrect.
I used the same query given the only change in the original query is host and index name change, and the error i posted is the complete error.
my requirement is just i need to trigger an alert when data is not coming from any hosts.
@richgalloway as u said the query i gave will trigger an alert only when data is not available in all 5 hosts.
but i want the alert to be triggered even when data not there in 1 host as well
can u please tune this query
index=advcf request=* host IN(abgc, efgh, jhty, hjyu,kjnb) |stats count |where count=0
Have you tried the query suggested by @johnhuang ? It looks good to me.
I tried to use the query but getting below error:
Error in 'search operator:rex': usage:regex[field=<field>]<regex>
Interesting. The exact query, without changes, works fine for me. Please post the exact query you used.
Hi @richgalloway they was a typo error in my original query, i noticed that, now the given query is working fine.
Thanks a lot @richgalloway and @johnhuang for making this done.😊
i accept this as a solution