Solved: Re: Simple stats conditional for alert

mikeely · ‎12-29-2011

I've set up a simple search for flapping interfaces on our switches, looks like so:

 LINEPROTO-5-UPDOWN: Line protocol on Interface changed state to | stats count by host

What I'd like to do is get an alert using a conditional ... stats count by host > 5 in fifteen minutes or something like that. When I try this out it returns no data:

 LINEPROTO-5-UPDOWN: Line protocol on Interface changed state to | stats count by host > 5

How do I get from there to where I want to be?

gkanapathy · ‎12-29-2011

LINEPROTO-5-UPDOWN: Line protocol on Interface changed state to | stats count by host | where count > 5

View solution in original post

gkanapathy · ‎12-29-2011

LINEPROTO-5-UPDOWN: Line protocol on Interface changed state to | stats count by host | where count > 5

mikeely · ‎12-29-2011

One would think I could have tried that myself but I've apparently got too many hats on today to be any good at one thing. Thanks!

gkanapathy · ‎12-29-2011

sorry, should be count > 5, not host. editing to fix.

mikeely · ‎12-29-2011

It looks like it should work but still "No results found" which is strange, when I take out the where clause, there are a couple values above five.

Simple stats conditional for alert

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?