Solved: Re: How to alert host stop on failover paired host...

vl951f · ‎03-07-2022

I have host stop event logged in a summary index

Index=summary search_name=feed_status

Host_name	Host_status
Host1a	Host_stop
Host2b	Host_stop
Host4a	Host_stop
Host1b	Host_stop
Host3a	Host_stop

I also have a lookup table for failover paired hosts.

Host_primary	Host_secondary
Host1a	Host1b
Host2a	Host2b
Host3a	Host3b
Host4a	Host4b

I need to generate the host stop alert when both failover paired hosts are stopped.

In this case alerting on Host1a and Host1b stopped.

vl951f · ‎03-07-2022

Hi, Giuseppe

I changed OUTPUT to OUTPUTNEW. It works.

index=summary search_name=feed_status
| lookup paired_host.csv Host_primary AS Host_name OUTPUTNEW Host_secondary as hostname2 pair_ID as pairid
| lookup paired_host.csv Host_secondary AS Host_name OUTPUTNEW Host_primary as hostname1 pair_ID as pairid
| stats dc(Host_name) AS hcount values(hostname1) AS Host_Primary values(hostname2) AS Host_secondary BY pairid
| where hcount =2

Thanks a lot for your help.

View solution in original post

gcusello · ‎03-07-2022

Hi @vl951f,

if you could add a column in the lookup containing an ID for each pair, you could use it for the check.

In other words, if the the new column is called pair_ID, you could run something like this:

index=summary search_name=feed_status
| lookup paired_host.csv Host_primary AS Host_name OUTPUT Host_secondary pair_ID
| lookup paired_host.csv Host_secondary AS Host_name OUTPUT Host_primary pair_ID
| stats dc(Host_name) AS dc_Host_name values(Host_primary) AS Host_Primary values(Host_secondary) AS Host_secondary BY pair_ID
| where dc_Host_name =2

Ciao.

Giuseppe

vl951f · ‎03-07-2022

Hi, Giuseppe

I changed OUTPUT to OUTPUTNEW. It works.

index=summary search_name=feed_status
| lookup paired_host.csv Host_primary AS Host_name OUTPUTNEW Host_secondary as hostname2 pair_ID as pairid
| lookup paired_host.csv Host_secondary AS Host_name OUTPUTNEW Host_primary as hostname1 pair_ID as pairid
| stats dc(Host_name) AS hcount values(hostname1) AS Host_Primary values(hostname2) AS Host_secondary BY pairid
| where hcount =2

Thanks a lot for your help.

gcusello · ‎03-08-2022

Hi @vl951f,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

vl951f · ‎03-07-2022

Hi, Giuseppe:

I added the column pair_ID, ad give it an unique number for each paired host. But "dc_Host_name" is always "1" after run the search.

Thanks

vl951f · ‎03-07-2022

It looks like one of the pair_ID is NULL from 2 lookup OUTPUT:

| lookup paired_host.csv Host_primary AS Host_name OUTPUT Host_secondary pair_ID
| lookup paired_host.csv Host_secondary AS Host_name OUTPUT Host_primary pair_ID

How to alert host stop on failover paired hosts

lookup

table

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?