topic Re: Issues with Lookup In Alert in Splunk Search

Issues with Lookup In Alert

paddy3883 — Wed, 05 Dec 2012 12:03:28 GMT

I've created an lookup (lookuptest) from a CSV file which has three values per row e.g.

Filter,Limit,Timing

VALUE1,"| head 5",1000

VALUE2,"",2000

VALUE3,"| head 10",3000

I've written a search using this lookup against events some a specific source SOURCE_A. Each event contains a number of fields including Timing (time in milliseconds for this event) and TranName (description of what event relates to). The search needs to read each row from the CSV, filter the events based on the values and then return the list e.g.

inputlookup lookuptest | map [search source=SOURCE_A $Filter$ $Limit$ | stats avg(Timing) as Timing by TranName | where Timing >= $Duration$ ] maxsearches=99 | fields TranName, Timing

When I execute this in the Search application it runs as expected and returns the correct results, but when I create an alert for it based on this search it never finds any results. If I then View Recent executions of this search it loads the Search application but it has removed the variables e.g.

inputlookup lookuptest | map [search source=SOURCE_A | stats avg(Timing) as Timing by TranName | where Timing >= ] maxsearches=99 | fields TranName, Timing

Is there any reason for this?

Re: Issues with Lookup In Alert

dart — Wed, 05 Dec 2012 18:20:51 GMT

I think you're hitting the fact that saved searches can have $parameter$ substition of their own. I believe a workaround is to place your search in a macro, and just have `macro_name` as your search

Re: Issues with Lookup In Alert

paddy3883 — Thu, 06 Dec 2012 17:30:33 GMT

Thanks. Whenever I create the macro and attempt to run it in Search I get the following:

Error in 'inputlookup' command: This command must be the first command of a search. My macro contains:

Any ideas what's going on?

Re: Issues with Lookup In Alert

paddy3883 — Tue, 11 Dec 2012 11:21:48 GMT

Still struggling to figure out the problem with this one. Anyone have any idea what the issue is?

Re: Issues with Lookup In Alert

paddy3883 — Mon, 07 Jan 2013 14:10:11 GMT

I managed to fix the problem I had above. I had to remove the initial | from the macro and then when called my macros using the search query place the | at the start i.e.:

Macro Code - named mysearch:

inputlookup lookuptest | map [search source=SOURCE_A $Filter$ $Limit$ | stats avg(Timing) as Timing by TranName | where Timing >= $Duration$ ] maxsearches=99 | fields TranName, Timing

Search String:

| mysearch