Solved: Re: retrieve host count depending on host value

marcosrios · ‎04-06-2016

Hi, I'm trying to accomplish the following:
* alert when there is a host that has less than 2 occurences
* alert when the total count is less than 12

index=vts sourcetype=vtsr host=server* "Batch Processor is turned ON" | stats count(host) as hostCount by host | addcoltotals labelfield=host

host               hostCount
server 1           3
server 2           3
server 3           2
server 4           2
server 5           2
server 6           2
Total              14

How can I validate for each server and total count values just to specify when to trigger the alert?

Regards!

somesoni2 · ‎04-06-2016

Give this a try

 index=vts sourcetype=vtsr host=server* "Batch Processor is turned ON" | stats count(host) as hostCount by host | eventstats sum(hostCount) as total | where hostCount<2 OR total<12

View solution in original post

somesoni2 · ‎04-06-2016

Give this a try

 index=vts sourcetype=vtsr host=server* "Batch Processor is turned ON" | stats count(host) as hostCount by host | eventstats sum(hostCount) as total | where hostCount<2 OR total<12

mlf · ‎04-06-2016

Just set a custom condition on the alert:

search (host!=Total AND hostCount<2) OR (host=Total AND hostCount<12)

woodcock · ‎04-06-2016

Add this on:

... | eventstats count(eval(host!="Total" AND hostCount<2)) AS Trigger1 last(hostCount) AS Trigger2

Then trigger your alert on "Trigger1>0 AND Trigger2<12"

retrieve host count depending on host value

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Join the Conversation