I know that events and metrics use different index types. Does that mean I can't create an alert (outside of metrics workspace) using an SPL query with mstats?
E.g., I am pumping collectd uptime info into splunk. I want to trigger an alert on recent reboots.
| mstats min(_value) as uptime WHERE metric_name="uptime.value" AND "index"="collectd_http" span=120s BY "host"| search uptime < 10000 | stats count by host
This returns statistics results, but does not trigger an alert.
I've found the alert creation functionality in the Metrics Workspace to be somewhat limiting, and wasn't able to get an alert for this condition to work there, either. When I split by host and try to display the "lowest" hosts, it doesn't display the hosts with the lowest uptime value. Also, I haven't found a way to get the metrics alerts to send me the correct host name.
↧