Splunk ITSI
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Create e-mail alerts for inactive and unstable entities

rmo23
Explorer
‎06-08-2024 07:28 AM

Hi guys!

how to proceed to create alerts on inactive and unstable entities .

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-09-2024 03:03 AM

Hi @rmo23 ,

as also @yuanliu said, you should share more details about your infrastructure.

Anyway, in ITSI there's an asset inventory that should be complete (otherwise you have a very bigger issue!).

So,  you could use the lookup containing these asset (I don' t remember its name) and run a search like the following:

| tstats 
     count
     where index=*
     BY host
| append [ | inputlookup your_asset_lookup | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

Reply

rmo23
Explorer
‎06-09-2024 08:38 AM

hi
Indeed, thanks to ITSI, I can have data on the metrics, the status of my servers, active or inactive, I can predict the status of my infrastructure, etc. I just want to receive email alerts only when my servers are inactive, I only see this status when I'm in ‘Entity Overview’ if it's possible to configure an email alert on it.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-09-2024 09:09 AM

Hi @rmo23 ,

at first see if there is the way (I don't know very deeply ITSI) to enable as action the email sending.

If not extract the search from this dashboard and create a custom alert.

Ciao.

Giuseppe

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-08-2024 12:53 PM

Until you can tell us what data you have, what field/value in that data indicates inactive and unstable entities, and how you want the output to look like, volunteers are not going to help you.

0 Karma
Reply

rmo23
Explorer
‎06-08-2024 01:09 PM

hi
I manage to monitor the servers divided into services via the ITSI.
However, I would like to receive email alerts when some of my servers change state, either inactive or unstable, for better reactivity.

0 Karma
Reply

proyleJDS
Path Finder
‎08-06-2024 10:53 PM

You could use a search like this to check if the entities mapped in a service are receiving events within a specified time frame, if not you could consider them unstable and alert

| inputlookup itsi_entities append=true 
| rename services._key as service_key 
| rename title as entity 
| fields entity, service_key 
| where isnotnull(service_key) 
| mvexpand service_key 
| inputlookup service_kpi_lookup append=true 
| eval key=coalesce(service_key,_key) 
| stats values(entity) as host, values(title) as service by key 
| mvexpand host 
| dedup host 
| fields host 
| eval host=lower(host) 
| join type=outer host 
    [| metadata type=hosts index=_internal 
    | eval host=lower(host) 
    | eval status = if(lastTime>now()-180,1,0)] 
| eval status=if(status=1,1,0)

 

Reply
Get Updates on the Splunk Community!

Let’s Talk Terraform

If you’re beyond the first-weeks-of-a-startup stage, chances are your application’s architecture is pretty ...

Cloud Platform | Customer Change Announcement: Email Notification is Available For ...

The Notification Team is migrating our email service provider. As the rollout progresses, Splunk has enabled ...

Save the Date: GovSummit Returns Wednesday, December 11th!

Hey there, Splunk Community! Exciting news: Splunk’s GovSummit 2024 is returning to Washington, D.C. on ...