Splunk Search

Unique host list but only when the # of hosts is < some #. To be used for alert content (inline table)

sjringo
Communicator

index=anIndex sourcetype=aSourceType ("*Starting application:*" AND (host="aHostName*")) | stats values(host) AS ServerList

The above query gives me a list of distinct server names.  What I am attempting to do is use this query for an alert and provide the list of server's but only when the # of servers in the distinct list returned in the above query is less than a specified #.

I will be configuring the alert to trigger when the results are > 0 since the trigger condition will be in the query and not the alert.

How do I modify the query above to only provide ServerList if the # of distinct servers in that list is < 10 ?

 

Labels (3)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

Since you have a multivalued field, you can do

 

 

<your search> | where mvcount(ServerList)>10

 

 

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

Ok, but where's the question? What's your problem with that?

And remember that AND is implicit so you don't have to write (condA AND (condB)). Just do condA condB on their own. And avoid wildcard at the beginning of a search term - it will cause splunk to read all the events from given time range to find a match.  Especially if your search term starts at the word boundary - there's no point of adding that wildcard at the beginning. Check for yourself - search for "Starting application:" and "*Starting application:" and compare execution time.

0 Karma

sjringo
Communicator

Edited to specify what the question is.   Yeah, the search can be optimized, will change that. thanks...

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Since you have a multivalued field, you can do

 

 

<your search> | where mvcount(ServerList)>10

 

 

sjringo
Communicator

Was not aware of mvcount(...) 

Thanks for you input and suggestions, its greatly appreciated !

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...