Splunk Search

unable to all the display values if a condition is met

Engager

Hi Everyone

I am trying to display the status of all the servers even if one one server status is OUT. like below.

server1 IN
server2 IN
server3 OUT
server4 IN

I an getting it without a condition but if I add a where clause... its giving me only the server which is out.

I am not able to schedule a alert for this.

index=app_ops_prod host=server* sourcetype="access" "/open/Alive.jsp" | stats latest(fr_status) as lt_status by host | eval server_status=if(match(lt_status,"404"),"OUT", "IN") | where server_status="OUT" | table host,server_status

my goal is to schedule a alert and display the status of all the servers even if one server status is OUT.

please advise.

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

@sukundur, take out the following filter from your Alert search query.

 | where server_status="OUT"

And then Set custom Trigger Action i.e.

Trigger Condition:
Custom: "search server_status="OUT" 

Refer to Splunk Documentation on Custom Trigger Condition Example

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@sukundur, take out the following filter from your Alert search query.

 | where server_status="OUT"

And then Set custom Trigger Action i.e.

Trigger Condition:
Custom: "search server_status="OUT" 

Refer to Splunk Documentation on Custom Trigger Condition Example

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

Engager

it worked . niketliay. thank you so much

0 Karma

Engager

I tried this option and not sure why this alert is not triggering.

0 Karma

SplunkTrust
SplunkTrust

How about running this query first for the same time-range as your search

index=app_ops_prod host=server* sourcetype="access" "/open/Alive.jsp" 
| stats latest(fr_status) as lt_status by host 
| eval server_status=if(match(lt_status,"404"),"OUT", "IN") 
| table host,server_status

Ans then test whether search filter is working or not

index=app_ops_prod host=server* sourcetype="access" "/open/Alive.jsp" 
| stats latest(fr_status) as lt_status by host 
| eval server_status=if(match(lt_status,"404"),"OUT", "IN") 
| table host,server_status
| search server_status="OUT" 
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma