Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create alert from stats value

jrprez1804
Path Finder
‎07-23-2017 11:13 AM

We have a script that pulls the disk info than the Universalforwarder reads the data and send to Splunk. With the query below I can generate a table with a clean output but now I need an alert on diskusage in above 80% utilization. In the example I would like DB1 C drive current condition to fire an triggered Splunk alert.

index=popeye host=DB1 OR DB2 sourcetype="DiskInfo*" 
| rex "C: \s+\d+\.\d\s+(?<Percent_C_FS>\S+)"
| rex "D: \s+\d+\.\d\s+(?<Percent_D_FS>\S+)"
dudup host | stats count by host Percent_C_FS Percent_D_FS



host         Percent_C_FS       Percent_D_FS

DB1                       15                                 75
DB2                      55                                 65
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2017 11:44 AM

Try this search. Set the alert to trigger if the result count is not zero.

index=popeye host=DB1 OR DB2 sourcetype="DiskInfo*" 
| rex "C: \s+\d+\.\d\s+(?<Percent_C_FS>\S+)"
| rex "D: \s+\d+\.\d\s+(?<Percent_D_FS>\S+)"
| where (Percent_C_FS < 20) OR (Percent_D_FS < 20)
dudup host | stats count by host Percent_C_FS Percent_D_FS
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2017 11:44 AM

Try this search. Set the alert to trigger if the result count is not zero.

index=popeye host=DB1 OR DB2 sourcetype="DiskInfo*" 
| rex "C: \s+\d+\.\d\s+(?<Percent_C_FS>\S+)"
| rex "D: \s+\d+\.\d\s+(?<Percent_D_FS>\S+)"
| where (Percent_C_FS < 20) OR (Percent_D_FS < 20)
dudup host | stats count by host Percent_C_FS Percent_D_FS
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

jrprez1804
Path Finder
‎07-24-2017 05:20 AM

Thanks that is exactly what I needed.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...