get alert when service is down / just once

adcom53 · ‎08-23-2020

Hello

I have two csv file:

1- all_services.csv

service

a

b

c

d

e

2- up_services.csv

service

a

b

c

d

==> this means the service e is down

==> what i want is to Generate an alert just once to give me the service who is down ( as long as the service is down i don't whant any other alert)

If for example the service d is down I want to get an alert that contain only the service d (not d+ e)

rnowitzki · ‎08-24-2020

Hi @adcom53 ,

Here is an approach that introduces another csv and another saved search.

This is the search for the alert:

| inputlookup all_services.csv
| lookup up_services.csv service OUTPUT service as upservice
| lookup down_services.csv service OUTPUT service as downservice
| where isnull(downservice) AND isnull(upservice)
| fields service
| outputlookup append=true down_services.csv

It detects services that are not up and where an alert was not yet triggered. The result is appended to down_services.csv

Just before you run the alert search (like 1 minute earlier) you run this saved search:

| inputlookup all_services.csv
| lookup up_services.csv service OUTPUT service as upservice
| lookup down_services.csv service OUTPUT service as downservice
| where isnull(upservice) and NOT isnull(downservice)
| fields service
| outputlookup down_services.csv

This removes already reported services that are up again, but keeps the already reported (and still down) services in down_service.csv

Hope it works for you.

BR
Ralph
--
Karma and/or Solution tagging appreciated.

--
Karma and/or Solution tagging appreciated.

get alert when service is down / just once

configuration

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!