Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

unable to all the display values if a condition is met

sukundur
Engager
‎04-01-2018 01:35 PM

Hi Everyone

I am trying to display the status of all the servers even if one one server status is OUT. like below.

server1 IN
server2 IN
server3 OUT
server4 IN

I an getting it without a condition but if I add a where clause... its giving me only the server which is out.

I am not able to schedule a alert for this.

index=app_ops_prod host=server* sourcetype="access" "/open/Alive.jsp" | stats latest(fr_status) as lt_status by host | eval server_status=if(match(lt_status,"404"),"OUT", "IN") | where server_status="OUT" | table host,server_status

my goal is to schedule a alert and display the status of all the servers even if one server status is OUT.

please advise.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-01-2018 02:45 PM

@sukundur, take out the following filter from your Alert search query.

 | where server_status="OUT"

And then Set custom Trigger Action i.e.

Trigger Condition:
Custom: "search server_status="OUT"

Refer to Splunk Documentation on Custom Trigger Condition Example

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-01-2018 02:45 PM

@sukundur, take out the following filter from your Alert search query.

 | where server_status="OUT"

And then Set custom Trigger Action i.e.

Trigger Condition:
Custom: "search server_status="OUT"

Refer to Splunk Documentation on Custom Trigger Condition Example

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

sukundur
Engager
‎04-02-2018 05:48 AM

it worked . niketliay. thank you so much

0 Karma
Reply
Solved! Jump to solution

sukundur
Engager
‎04-01-2018 08:17 PM

I tried this option and not sure why this alert is not triggering.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-02-2018 02:06 AM

How about running this query first for the same time-range as your search

index=app_ops_prod host=server* sourcetype="access" "/open/Alive.jsp" 
| stats latest(fr_status) as lt_status by host 
| eval server_status=if(match(lt_status,"404"),"OUT", "IN") 
| table host,server_status

Ans then test whether search filter is working or not 

index=app_ops_prod host=server* sourcetype="access" "/open/Alive.jsp" 
| stats latest(fr_status) as lt_status by host 
| eval server_status=if(match(lt_status,"404"),"OUT", "IN") 
| table host,server_status
| search server_status="OUT"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...