topic Re: Alert only if value exists in Alerting

Alert only if value exists

jaxjohnny — Mon, 27 Mar 2017 10:46:15 GMT

Hello Splunkers,

We have a search that runs every 30 minutes, and then sends and email. The problem is that there may not be a value in the results. The search looks for a "deny" event. We would like the search to run every 30 minutes, but ONLY send an email alert IF there are values in the results; in other words only if there is a deny event.

index=xncsyslog | search action="deny" | dedup deviceid | fields _time action group user deviceid devicetype agent ip | table _time user deviceid devicetype action group agent ip

Re: Alert only if value exists

niketn — Mon, 27 Mar 2017 11:18:37 GMT

Do you need this

index=xncsyslog action="deny" 
|dedup deviceid 
|table _time user deviceid devicetype action group agent ip

Under alerts Trigger Conditions set to trigger when Number of Results > 0

Re: Alert only if value exists

gcusello — Mon, 27 Mar 2017 11:19:15 GMT

Hi jaxjohnny,
to do what you want, you have to create a lookup with all your deviceid to monitor (calling it e.g. Perimeter.csv) in which there is a column called "deviceid" (and eventually other columns describing each device) and then run a search like this:

index=xncsyslog action="deny" 
| eval deviceid=upper(deviceid) 
| stats count by deviceid 
| append [ | inputlookup Perimeter.csv | eval count=0 | fields deviceid count ] 
| stats sum(count) AS Total by deviceid

In this way, missed deviceids have Total=0, the other have Total>0.

(Note that if you insert the search condition action="deny" after a | and a search command, your search is slower! and that you don't need to use the field command before table command).

You can insert at the end of your search | where Total=0 and create an alert or create a dashboard that shows the status of your devices.

You could also show status of your devices inserting at the end of your search | rangemap field=Somma severe=0-0 low=1-1000000000 default=severe

If you like to show status of your devices in a graphic mode, follow the example in Splunk 6.x Dashboard Examples App (https://splunkbase.splunk.com/app/1603/).

Bye.
Giuseppe

Re: Alert only if value exists

gcusello — Mon, 27 Mar 2017 11:19:15 GMT

index=xncsyslog action="deny" 
| eval deviceid=upper(deviceid) 
| stats count by deviceid 
| append [ | inputlookup Perimeter.csv | eval count=0 | fields deviceid count ] 
| stats sum(count) AS Total by deviceid

In this way, missed deviceids have Total=0, the other have Total>0.

(Note that if you insert the search condition action="deny" after a | and a search command, your search is slower! and that you don't need to use the field command before table command).

You can insert at the end of your search | where Total=0 and create an alert or create a dashboard that shows the status of your devices.

You could also show status of your devices inserting at the end of your search | rangemap field=Somma severe=0-0 low=1-1000000000 default=severe

If you like to show status of your devices in a graphic mode, follow the example in Splunk 6.x Dashboard Examples App (https://splunkbase.splunk.com/app/1603/).

Bye.
Giuseppe

Re: Alert only if value exists

niketn — Mon, 27 Mar 2017 11:22:19 GMT

Do you need this? It would run every 30 min for last 30 minutes and will trigger only if the table has record/s for deny event based on deviceid:

index=xncsyslog action="deny" earliest=-30m latest=now
|dedup deviceid 
|table _time user deviceid devicetype action group agent ip

Under alerts Trigger Conditions set to trigger when Number of Results > 0

Set on every 30 minutes cron schedule : */30 * * * *

Re: Alert only if value exists

jaxjohnny — Mon, 27 Mar 2017 11:45:35 GMT

Thank you. However, we do not know which devices will attempt to connect. These are all BYO devices connecting. We have two portals. One portal is permitted for all devices, while the other portal is approved only for select devices.

Re: Alert only if value exists

jaxjohnny — Mon, 27 Mar 2017 11:50:22 GMT

Thank you. I've made this change to both the code and the trigger conditions. The next report runs in about 10 minutes. We'll see if this works.