topic How to create a search condition in Splunk where an alert is based on result? in Splunk Enterprise Security

How to create a search condition in Splunk where an alert is based on result?

ruchijain — Tue, 25 Jun 2019 10:31:33 GMT

I want to get alerts for the situations which are different from below conditions:

Server  a   B   C   D
condition   ü  ü  X   X
                    X      X    ü  ü

I want to check Splunk, for the above servers, if this condition is there then it's ok- otherwise, it will alert us via email.

PS: The above condition means either a and B is UP and C and D is down or A and B is Down and C and D is UP.
If there are any other conditions like all are UP or all are DOWN or A and C are UP or many more condition then it will alert us.

But I am not able to use Splunk to set this condition, can anyone please help me with this?

I am not sure if we can use LOOKUP table to check this one.

Re: How to create a search condition in Splunk where an alert is based on result?

DavidHourani — Tue, 25 Jun 2019 10:37:30 GMT

Hi @ruchijain,

I'm assuming you have a table that looks as follows :
A B C D
u u X X
u u u X
u X X X
X X u u

If that's the case then something like this will return all the events you need :

YourBaseSearch ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u)

Adding NOT will return all the events that should alert you :

YourBaseSearch NOT ( ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u) )

If you want you can share a sample event so I can help you build a search that's closer to what you will be using.

Cheers,
David

Re: How to create a search condition in Splunk where an alert is based on result?

ruchijain — Tue, 25 Jun 2019 10:54:57 GMT

sample is right as below:

currently A and B is showing service status as status =running (sourcetype=service_stutus ---> where i am using service jboss status)
C and D are editorial servers and not running so status is stopped

I want to run the query when A and B are running and C and D are stopped or vice versa (A and B are stopped and C and D are running)
For rest of the status combination it should sent the alert

Re: How to create a search condition in Splunk where an alert is based on result?

ruchijain — Tue, 25 Jun 2019 11:21:09 GMT

sample is right as below:

I want to run the query when A and B are running and C and D are stopped or vice versa (A and B are stopped and C and D are running)
For rest of the status combination it should sent the alert