Hi all, First time posting here so please be patient and I am relatively new to the Splunk environment, but I am struggling to figure out this search function.
My manager has asked me to create an alert for Load Balancers flapping on our server.
Criteria; - Runs every 15 mins (I assume this can be set in the "alert" settings) - Fires if a load balancer switches from Up to Down and Back more than 5 times
This second point I am struggling to work out - this is what I have so far;
index=xxx sourcetype="xxx" host="xxx" (State=UP OR State=DOWN) State="*"
| stats count by State
| eval state_status = if(DOWN+UP == 5, "Problem", "OK")
| stats count by state_status
Note - "State" is the field in question as it stores the UP/DOWN events which have values.
Based on this, I can get an individual count of when the load balancer displayed UP and when it displayed DOWN, however I need to turn this into a threshold search to only display a count of how many times it changed from UP to DOWN 5x consecutive times.
Any and all help will be much appreciated.
... View more