- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to search on multiple key/value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Log was backed up. Database: <abc>" host=<xyz>
I currently have multiple alerts - one for each database / server. There must be a better way to perform the following search Where I have multiple multiple hosts containing multiple databases and to alert when an individual database has zero events within a 60 minute window?
This seems very cumbersome, and I don't know how to set up alert to capture the database / server when no events are occurring.
"Log was backed up. " Database: <abc_1> OR Database: <abc_2> host=<xyz_1> OR host=<xyz_1> OR host=<xyz_2>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One way of doing this is to have those servers/databases in a lookup and then use that lookup in your search to see which lookup row (host-database combination) has data.
Something like this (assuming field database is already extracted)
|inputlookup hostdatabase.csv | search NOT [ search "Log was backed up. " | stats count by host database | table host database ]
Try this if database field is not extracted
|inputlookup hostdatabase.csv | search NOT [ search "Log was backed up. " | rex "Log was backed up\.\s+(?<database>\S+)" | stats count by host database | table host database ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One way of doing this is to have those servers/databases in a lookup and then use that lookup in your search to see which lookup row (host-database combination) has data.
Something like this (assuming field database is already extracted)
|inputlookup hostdatabase.csv | search NOT [ search "Log was backed up. " | stats count by host database | table host database ]
Try this if database field is not extracted
|inputlookup hostdatabase.csv | search NOT [ search "Log was backed up. " | rex "Log was backed up\.\s+(?<database>\S+)" | stats count by host database | table host database ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This solution works as expected! Thank you!
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
