I have total 12 hosts which are coming through my sourcetype (input) and are below:
UK1 App Server 1
UK1 App Server 2
UK1 Worker Server 1
UK1 Worker Server 2
UK3 App Server 1
UK3 App Server 2
UK3 Worker Server 1
UK3 Worker Server 2
US2 App Server 1
US2 App Server 2
US2 Worker Server 1
US2 Worker Server 2
I have one splunk search below:
sourcetype="*Process Host" | stats count by source, host
host ----------------------------count
UK1 App Server 1---------------13
UK1 App Server 2 ---------------5
UK1 Worker Server 1-----------205
UK1 Worker Server 2-----------27
UK3 Worker Server 1-----------782
UK3 Worker Server 2-----------193
US2 App Server 1----------------1
US2 Worker Server 2------------25
From the search above, I am not getting any record for four hosts which are below:
UK3 App Server 1,
UK3 App Server 2,
US2 App Server 2,
US2 Worker Server 1
If any record is not returned for any host, then one alert should trigger on it that these hosts are not getting updated OR no record found for these hosts.
Any one please tell me how we can create this type of Alert?
Thanks in advance.
Sachin Singh
... View more