Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to set an alert that will trigger an email when based on these conditions?

AdixitSplunk
Path Finder
‎02-03-2017 03:50 AM

HI All,
I need some help in setting alerts for a condition, where I'm using a simple Splunk search to get whether the service is started for 3 hosts: Index=xyz sourcetype=123 Message="Started"|stats count by host Message|addcoltotals

Host  Message  Count
123   started  1
345   started  1
567   started  1
Total          3

Now i want to set an alert condition which will trigger an email when :
a) AS soon as the count total is 3
b) If the count total is less than 3 from 5:10 -5:30 PM

If can be done in two ways one from alert setting and other editing in the search.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-03-2017 08:09 AM

Hi AdixitSplunk
you could create a a search like this:

index=xyz sourcetype=123 Message="Started" (host=host1 OR host=host2 OR host=host3) 
| dedup host 
| stats count 
| where count<3

and so generate an alert.
if the servers number will grow, you can insert them in a lookup table:

index=xyz sourcetype=123 Message="Started" [ | impulookup server_lookup.csv | fields host ] 
| appendpipe [ | impulookup server_lookup.csv | stats count AS number]
| dedup host 
| stats values(number) AS number count 
| where count<number

You have only to decide the time period to use in the search and for the alert frequency.

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-03-2017 08:09 AM

Hi AdixitSplunk
you could create a a search like this:

index=xyz sourcetype=123 Message="Started" (host=host1 OR host=host2 OR host=host3) 
| dedup host 
| stats count 
| where count<3

and so generate an alert.
if the servers number will grow, you can insert them in a lookup table:

index=xyz sourcetype=123 Message="Started" [ | impulookup server_lookup.csv | fields host ] 
| appendpipe [ | impulookup server_lookup.csv | stats count AS number]
| dedup host 
| stats values(number) AS number count 
| where count<number

You have only to decide the time period to use in the search and for the alert frequency.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

AdixitSplunk
Path Finder
‎02-09-2017 04:28 AM

HI Cusello ,
I have this query can we set up a alert and send 2 separate mails as per the condition in the query .
index=xyz sourcetype=123 Message="Started" (host=host1 OR host=host2 OR host=host3)
| dedup host
| stats count
| where count <=3
One mail if count is < 3 and one mail when count is = 3 .
Is this possible 😐

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-03-2017 06:19 AM

What is the time range that you use for your search? How frequently those service start/stop?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...