Solved: Re: retrieve host count depending on host value

marcosrios · ‎04-06-2016

Hi, I'm trying to accomplish the following:
* alert when there is a host that has less than 2 occurences
* alert when the total count is less than 12

index=vts sourcetype=vtsr host=server* "Batch Processor is turned ON" | stats count(host) as hostCount by host | addcoltotals labelfield=host

host               hostCount
server 1           3
server 2           3
server 3           2
server 4           2
server 5           2
server 6           2
Total              14

How can I validate for each server and total count values just to specify when to trigger the alert?

Regards!

somesoni2 · ‎04-06-2016

Give this a try

 index=vts sourcetype=vtsr host=server* "Batch Processor is turned ON" | stats count(host) as hostCount by host | eventstats sum(hostCount) as total | where hostCount<2 OR total<12

View solution in original post

somesoni2 · ‎04-06-2016

Give this a try

 index=vts sourcetype=vtsr host=server* "Batch Processor is turned ON" | stats count(host) as hostCount by host | eventstats sum(hostCount) as total | where hostCount<2 OR total<12

mlf · ‎04-06-2016

Just set a custom condition on the alert:

search (host!=Total AND hostCount<2) OR (host=Total AND hostCount<12)

woodcock · ‎04-06-2016

Add this on:

... | eventstats count(eval(host!="Total" AND hostCount<2)) AS Trigger1 last(hostCount) AS Trigger2

Then trigger your alert on "Trigger1>0 AND Trigger2<12"

retrieve host count depending on host value

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Are you a member of the Splunk Community?

retrieve host count depending on host value

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor