Solved: Re: Count By host

hartfoml · ‎10-30-2012

I am using this statement below to run every hour of the day looking for the value that is 1 on multiple hosts named in the search. A good startup is where I get 2 or more of the same event in one hour. If I get 0 then the system is running if I get one the system is not running.

search | timechart span=h count by host | where count < 2

I am expecting a total count of 2 of more for each host and if I get an event were count per host is less than 2 I want to get an alert. I actually would like to get an alert if the count is grater than 0 but less than 2. The above statement is not working for me. Any suggestions

gkanapathy · ‎10-30-2012

Your problem may be addressed by: http://splunk-base.splunk.com/answers/62196/any-way-to-return-zero-result-count-stats-of-a-field-suc... which is the same as http://splunk-base.splunk.com/answers/23839/include-zero-count-in-stats-count

View solution in original post

gkanapathy · ‎10-30-2012

Your problem may be addressed by: http://splunk-base.splunk.com/answers/62196/any-way-to-return-zero-result-count-stats-of-a-field-suc... which is the same as http://splunk-base.splunk.com/answers/23839/include-zero-count-in-stats-count

Count By host

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation