What i am trying to do is send an alert if Alive_Iwalls does not equal 4. This will tell me if all of the firewalls are up and running. Any help would be greatly appreachiated.
sourcetype=SidewinderFirewall Idsiwall1.ids.net OR idsiwall3.ids.net OR Idsiwall2.ids.net OR idsiwall4.ids.net | stats count by hostname | sort by count | stats count AS Alive_Iwalls | eval status = if(Alive_Iwalls == 4, "OK", "Error") | sendemail to="michael@SPL.com" if(status== error)
... View more