https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617499#M14437 <P>I managed to find a solution which is to use&nbsp;<SPAN>$job.latestTime$ instead. I have applied this to all our alerts now.</SPAN></P><P>&nbsp;</P><P>This is where I got the idea from:&nbsp;<A href="https://community.splunk.com/t5/Dashboards-Visualizations/Setting-job-earliestTime-and-job-latestTime-tokens-for-the-date/m-p/345199" target="_blank">https://community.splunk.com/t5/Dashboards-Visualizations/Setting-job-earliestTime-and-job-latestTime-tokens-for-the-date/m-p/345199</A></P> Tue, 18 Oct 2022 08:10:53 GMT vishalduttauk 2022-10-18T08:10:53Z https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617135#M14409 <P>I have a search which triggers an alert if an event hasn't be received by 6.20 am. That alert works fine but it needs to send data into another system. That system needs a unique id within it's Key field.</P> <P><SPAN>key=$result._time$ won't work as</SPAN>&nbsp;the event doesn't exist.</P> <P>Is there a way to add a unique value into that key field on an event that doesn't exist?</P> <P>The search is:</P> <P><SPAN>sourcetype=Batch OR sourcetype=ManualBatch "Step 'CleanupOldRunlogs' finished with status SUCCESS"</SPAN></P> Fri, 14 Oct 2022 17:19:40 GMT https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617135#M14409 vishalduttauk 2022-10-14T17:19:40Z https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617137#M14411 <P>This is a job for <FONT face="courier new,courier">appendpipe</FONT>.&nbsp; The <FONT face="courier new,courier">appendpipe</FONT> command runs commands against the current results and, among other things, lets you give values to fields when there are no results.</P><LI-CODE lang="markup">sourcetype=Batch OR sourcetype=ManualBatch "Step 'CleanupOldRunlogs' finished with status SUCCESS" | appendpipe [ stats count | eval key="foo" | where count=0 | fields - count ]</LI-CODE><P>Here, <FONT face="courier new,courier">appendpipe</FONT> checks how many results there are and sets a value for the key field.&nbsp; That value is shown only if count is zero.&nbsp; Finally, the count field is discarded.</P><P>&nbsp;</P> Fri, 14 Oct 2022 13:52:14 GMT https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617137#M14411 richgalloway 2022-10-14T13:52:14Z https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617140#M14413 <P>Thanks&nbsp;<A href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957" target="_blank">@richgalloway</A>&nbsp;</P><P>Is there a way to make the value for key unique. i.e. the alert could be triggered today and tomorrow but i want each value to be different</P> Fri, 14 Oct 2022 14:15:03 GMT https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617140#M14413 vishalduttauk 2022-10-14T14:15:03Z https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617152#M14416 <P>You can set the key to the current timestamp.</P><LI-CODE lang="markup">| eval key=strftime(now(), "%Y-%m-%d %H:%M:%S")</LI-CODE> Fri, 14 Oct 2022 15:07:16 GMT https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617152#M14416 johnhuang 2022-10-14T15:07:16Z https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617153#M14417 <P>You could set key to the current time.</P><LI-CODE lang="markup">sourcetype=Batch OR sourcetype=ManualBatch "Step 'CleanupOldRunlogs' finished with status SUCCESS" | appendpipe [ stats count | eval key=now() | where count=0 | fields - count ]</LI-CODE> Fri, 14 Oct 2022 15:09:54 GMT https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617153#M14417 richgalloway 2022-10-14T15:09:54Z https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617171#M14421 <P>I'd say whenever you can, store the time as a numeric timestamp, not as string. It's easier to manipulate, and you don't have to waste resources to parse it.</P> Fri, 14 Oct 2022 16:41:36 GMT https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617171#M14421 PickleRick 2022-10-14T16:41:36Z https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617193#M14425 <P>Epoch time works but it depends if you want it to be human readable or not on the 3rd party system.</P> Fri, 14 Oct 2022 19:31:51 GMT https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617193#M14425 johnhuang 2022-10-14T19:31:51Z https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617196#M14426 <P>Sure. In this case rendering the value to text seems to be a bit of an overkill. And it's always cheaper to render a timestamp to a string than to parse a string to a timestamp.</P> Fri, 14 Oct 2022 19:48:15 GMT https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617196#M14426 PickleRick 2022-10-14T19:48:15Z https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617499#M14437 <P>I managed to find a solution which is to use&nbsp;<SPAN>$job.latestTime$ instead. I have applied this to all our alerts now.</SPAN></P><P>&nbsp;</P><P>This is where I got the idea from:&nbsp;<A href="https://community.splunk.com/t5/Dashboards-Visualizations/Setting-job-earliestTime-and-job-latestTime-tokens-for-the-date/m-p/345199" target="_blank">https://community.splunk.com/t5/Dashboards-Visualizations/Setting-job-earliestTime-and-job-latestTime-tokens-for-the-date/m-p/345199</A></P> Tue, 18 Oct 2022 08:10:53 GMT https://community.splunk.com/t5/Alerting/How-to-create-a-unique-value-on-0-event-searches/m-p/617499#M14437 vishalduttauk 2022-10-18T08:10:53Z