https://community.splunk.com/t5/Reporting/Generating-administrator-alerts-based-on-events-analysis/m-p/65742#M1521 <P>Thanks for the quick reponse. Here's a few thoughts on that approach:</P> <P>The alert messages would need to be parameterized and would contain data unique to the search result. I think it's possible to dynamically generate lookup files. Any recommendations or best practices on how to do this?</P> <P>One other consideration: this alert lookup file will become really big and most of the entries are only relevant for 1-2 weeks. It would be better to save the results in the a Splunk index and apply JOINs as needed. Or, I could just append the message text and severity as a field on one of the events.</P> Thu, 07 Oct 2010 06:22:06 GMT Tim 2010-10-07T06:22:06Z https://community.splunk.com/t5/Reporting/Generating-administrator-alerts-based-on-events-analysis/m-p/65740#M1519 <P>I want to build a dashboard that lists alert strings for administrators and creates some basic statistics on these generated alerts. Here's the details.</P> <P>My event stream comes from a bunch of agents that periodically report values for some key settings. So, I have an index full of daily updates from many agents consisting of:</P> <P>agentId = , settingA = foo</P> <P>I want to generate an alert when I detect that settingA has flipped from "foo" to "bar". I'd like to be able to generate a message that says: "Agent X has changed its setting from 'Foo' to 'Bar'." Since I have a large number of events, I need to run this alert generation report as a scheduled background report. </P> <P>Moreover, I'd like to be able to assign a severity code to each alert message and do a "stats count by severity". In other words, I want to generate some complex stats and charts based on the number of alerts and their severity.</P> <P>Any recommendations on how to implement this in an application? I know its a broad question but I know someone has implemented something similar.</P> <P>Thanks, Tim</P> Thu, 07 Oct 2010 04:28:30 GMT https://community.splunk.com/t5/Reporting/Generating-administrator-alerts-based-on-events-analysis/m-p/65740#M1519 Tim 2010-10-07T04:28:30Z https://community.splunk.com/t5/Reporting/Generating-administrator-alerts-based-on-events-analysis/m-p/65741#M1520 <P>If you want to enrich existing data with new values (e.g. severity) you may want to explore lookup files.</P> <P>Your search can reference an event by a unique field (or combination of fields that would be unique). This unique identifier would be appended to a lookup file along with the new data you wish to associate with it. </P> <P>You would then use that look-up file when searching through that data to find its associated severity and/or other interesting metadata you've added. </P> Thu, 07 Oct 2010 05:01:33 GMT https://community.splunk.com/t5/Reporting/Generating-administrator-alerts-based-on-events-analysis/m-p/65741#M1520 bwooden 2010-10-07T05:01:33Z https://community.splunk.com/t5/Reporting/Generating-administrator-alerts-based-on-events-analysis/m-p/65742#M1521 <P>Thanks for the quick reponse. Here's a few thoughts on that approach:</P> <P>The alert messages would need to be parameterized and would contain data unique to the search result. I think it's possible to dynamically generate lookup files. Any recommendations or best practices on how to do this?</P> <P>One other consideration: this alert lookup file will become really big and most of the entries are only relevant for 1-2 weeks. It would be better to save the results in the a Splunk index and apply JOINs as needed. Or, I could just append the message text and severity as a field on one of the events.</P> Thu, 07 Oct 2010 06:22:06 GMT https://community.splunk.com/t5/Reporting/Generating-administrator-alerts-based-on-events-analysis/m-p/65742#M1521 Tim 2010-10-07T06:22:06Z