We would like to monitor a few hosts which are logging errors as events across different sources .
Alert condition we would like to setup are :
All error logs from sources are getting monioted for all hosts.
Alert condition : When any Hosts added or removed, trigger an alert.
logs are getting monitored for all hosts.
Alert condition : When any Hosts added or removed, trigger an alert.
I have used | metadata queries nothing seems matching my requirement.
| metadata type=hosts index=* | where relative_time(now(), "-1d") > lastTime | convert ctime(lastTime) as Latest_Time | sort -lastTime | table host,Latest_Time
| inputlookup hoststomonitor.csv | append [ search index=myindexname| stats Count by host ] | table host Count | stats sum(Count) as Count by host | fillnull value=0 | eval Status=if(Count=="0","Stopped",if(Count>"0","Running","needtofill")) | sort - Status | search Status="Running" | eval Count=tostring(Count , "commas")
Appreciate your help in creating alert conditions for the above. Thanks
... View more