topic Re: csv lookup for search query based on continuity and 7-day condition in Splunk Search

csv lookup for search query based on continuity and 7-day condition

longmen — Fri, 23 Jul 2021 19:37:00 GMT

Hi Splunk Experts,

I wonder if you could help me putting the below logic in to a search query?

Here the link reference to my original question.
https://community.splunk.com/t5/Splunk-Search/kv-store-search-send-alert-and-also-store-the-the-alert-sent/m-p/560289#M159234

Thanks

"The logic of your requirement seems to be that there are two situations when a user appears in the audit (satisfying the conditions). Either, they are in the list of alerts from yesterday, or they are not. If they were not in the list from yesterday, send an alert and add them to the list (noting when they were added). If they were in the list, don't send an alert but note they were there. now, process the list and remove anyone who didn't appear today (so that an alert will be generated next time they appear on the list), Also, remove anyone who has been on the list for 7 days including today (so that an alert will be generated next time they appear on the list, even if it is tomorrow - day 8)."

Day	Audit name	Alert name at start	Alert sent date at start	Alert name at end	Alert sent date at end	Send alert
1	James			James	1	Y
	Michael			Michael	1	Y
2	James	James	1	James	1	N
		Michael	1
3	James	James	1	James	1	N
	Michael			Michael	3	Y
4	James	James	1	James	1	N
	Michael	Michael	3	Michael	3	N
5	James	James	1	James	1	N
	Michael	Michael	3	Michael	3	N
6	James	James	1	James	1	N
		Michael	3
7	James	James	1	James	1	N
	Michael			Michael	7	Y
8	James			James	8	Y
		Michael	7

Re: csv lookup for search query based on continuity and 7-day condition

ITWhisperer — Sat, 24 Jul 2021 07:22:37 GMT

Using the csv files from the previous answer and taking a 7 minute rather than 7 day expiry on the alerts, the runanywhere example becomes

The lines you would need to change for your case would be

You might also want to filter the final result for send alert = Y so you only send an alert if any events are left.

Re: csv lookup for search query based on continuity and 7-day condition

longmen — Mon, 26 Jul 2021 20:58:46 GMT

Hi ITWhsiper,

Thanks a lot for your help. There is one missing piece in this. Robert appears on Day1 and spunk sends an alert "Y".

He disappears on Day2

He appears again on Day3 but Spunk does not send another alert.

What query do I need to add here so that Splunk will send an alert for Robert on Day 3? You used to give me this

| eval _send_alert=if(isnull(Alert_sent_date) OR Alert_date - Alert_sent_date > 60 * 2, "Y",null())

I wonder how do I integrate it into this to make it work. Could you please advise?

| inputlookup audit.csv
| lookup condition.csv Department Name Role email employee_id
| where watch="Y"
| fields email employee_id
| eval Alert_date=relative_time(now(),"@m")
| append 
    [| inputlookup alerts.csv
    | where relative_time(now(),"@m")-Alert_sent_date < 60*7 OR employee_id = 0]
| stats max(*) as * by email employee_id
| eval _send_alert=if(isnull(Alert_sent_date), "Y",null())
| eval Alert_sent_date=if(_send_alert="Y", Alert_date,Alert_sent_date)
| eval Alert_updated_date=Alert_date
| rename Alert_date as _Alert_date
| outputlookup alerts.csv
| where isnotnull(_Alert_date)
| eval send_alert=if(_send_alert="Y",_send_alert,"N")
| fieldformat Alert_sent_date=strftime(Alert_sent_date,"%H:%M:%S")
| fieldformat Alert_updated_date=strftime(Alert_updated_date,"%H:%M:%S")

Very respectfully,

Long

Re: csv lookup for search query based on continuity and 7-day condition

ITWhisperer — Mon, 26 Jul 2021 21:28:44 GMT

Try changing these two lines

| outputlookup alerts.csv | where isnotnull(_ALERT_DATE)

| where isnotnull(_ALERT_DATE) OR EMPLOYEE_ID = 0 | outputlookup alerts.csv

Re: csv lookup for search query based on continuity and 7-day condition

longmen — Mon, 26 Jul 2021 22:50:00 GMT

Hi ITWhisper,

It is not fixed and the error still persists. James , Robert John, Michael has "COUNTRY=CAN" and Splunk sends them alert on Day1.

James, William, David, and Richard are flagged on Day2 and Splunk only sends alert for William, David, and Richard. Splunk does not send an alert for James because his case is continuity. That is perfect.

On Day3, James, Robert, Thomas, and Charles are flagged. Splunk did not send an alert for James (This is good because his case is continuity). Splunk sends an alert for Charles and Thomas (This is also good). However, Splunk does not send an alert for Robert (which is not good because Robert is flagged on Day1, he is not flagged on Day2 but he is flagged again on Day3. Hence, Splunk is supposed to send an alert to Robert).

Could you please help me fixing Robert's condition?

Also, if I need to split this search, for example, one search is for continuity under 7 days and another search is for 24-hour break, just like Robert here, and combine both search somewhere? Please advise!

Very respectfully,

Long

Re: csv lookup for search query based on continuity and 7-day condition

ITWhisperer — Mon, 26 Jul 2021 23:23:24 GMT

It looks like for Robert to still be in Day 2, the condition is still Y despite him changing country. Please can you share the contents of condition.csv?

Re: csv lookup for search query based on continuity and 7-day condition

longmen — Tue, 27 Jul 2021 00:31:24 GMT

Hi ITWhisperer,

Thanks for your response, sir. Yes, I also noticed that Robert appears in Day2. Here is the content of the condition.csv file.

Very respectfully,

Long

Re: csv lookup for search query based on continuity and 7-day condition

longmen — Tue, 27 Jul 2021 00:43:45 GMT

Hi ITWhisperer,

Thanks for your response, sir. Yes, I also noticed that Robert appears in Day2. Here is the content of the condition.csv file.

Very respectfully,

Long

Re: csv lookup for search query based on continuity and 7-day condition

ITWhisperer — Tue, 27 Jul 2021 08:19:46 GMT

Can you move this line

| eval ALERT_UPDATED_DATE=ALERT_DATE

to above this line

| rename ALERT_DATE as _ALERT_DATE

so we can see whether the user is making it passed the first where command

Re: csv lookup for search query based on continuity and 7-day condition

ITWhisperer — Tue, 27 Jul 2021 08:21:31 GMT

It looks like the condition.csv mechanism isn't working for you.

Please try changing these lines

| fields EMAIL EMPLOYEE_ID

| fields EMAIL EMPLOYEE_ID COUNTRY CONDITION

| rename ALERT_DATE as _ALERT_DATE

| rename ALERT_DATE as _ALERT_DATE COUNTRY as _COUNTRY CONDITION as _CONDITION

and after

| eval SEND_ALERT=if(_SEND_ALERT="Y",_SEND_ALERT,"N")

add

| rename _COUNTRY as COUNTRY _CONDITION as CONDITION

Re: csv lookup for search query based on continuity and 7-day condition

ITWhisperer — Tue, 27 Jul 2021 08:08:56 GMT

Also, which version of splunk are you using?

Re: csv lookup for search query based on continuity and 7-day condition

longmen — Wed, 28 Jul 2021 20:06:45 GMT

Hi ITWhisperer,

Thanks for all your responses. I am testing your logic on the paid Splunk virtual environment and Splunk still does not send another alert for the person on day3 when he is flagged and is sent an alert on Day1, disappear on Day2, and flagged again on Day3. I wonder if it works for you?

Very respectfully,

Long

Re: csv lookup for search query based on continuity and 7-day condition

ITWhisperer — Wed, 28 Jul 2021 22:30:40 GMT

It is working for me although I have slightly different commands to you. What I don't understand is why, for example, Robert appears in the results of the search on day 2. If as your output suggests his country is not CAN, he should have been removed by the first where command. If he has been removed, ALERT_DATE is not set when he is then added back in by the append inputlookup, which means he should have been removed (again) by the third where command. Can you rerun it with the changes I have suggested so we can see some more of the field values?

Re: csv lookup for search query based on continuity and 7-day condition

longmen — Thu, 29 Jul 2021 15:39:27 GMT

Hi ITWhisperer,

Thanks for your prompt response. I implemented your logic on Splunk 8.2.1. and Robert still pops up on Day2 even though he is not flagged on Day2 csv file. Also, no alert was sent to Robert on Day3 as well even though he is flagged on Day3.
Additionally, I implemented your logic on paid Splunk virtual environment and another dataset and I've got the same result.

Here is how I set up condition.csv file

Could you please advise?

Very respectfully,

Long

Re: csv lookup for search query based on continuity and 7-day condition

ITWhisperer — Thu, 29 Jul 2021 15:50:59 GMT

What results do you get from just the first two line i.e. search + lookup?

(The results you have shown confirm that CONDITION is set to Y when we are not expecting it to be)

Re: csv lookup for search query based on continuity and 7-day condition

ITWhisperer — Thu, 29 Jul 2021 15:52:19 GMT

I am presuming CONDITION doesn't exist after the first line i.e. just the search?

Re: csv lookup for search query based on continuity and 7-day condition

longmen — Thu, 29 Jul 2021 16:23:22 GMT

I wonder if it is better for me to try working this on kv store instead? Thanks

Re: csv lookup for search query based on continuity and 7-day condition

ITWhisperer — Thu, 29 Jul 2021 22:03:29 GMT

OK I may have figured out what might be going on - the fields I was attempting to hide by renaming them with leading underscores are still getting written to the csv files, so try adding this

| table ALERT_SENT_DATE ALERT_UPDATED_DATE EMAIL EMPLOYEE_ID

after the inputlookup of alerts.csv

Re: csv lookup for search query based on continuity and 7-day condition

longmen — Fri, 30 Jul 2021 02:57:47 GMT

Hi ITWhisperer,

Thanks for always responding to my questions. It did not work. On day 2, Robert still appears. I believe your queries are supposed to overwrite the alerts.csv on Day1 and on Day2 there should be James, David, Richard, and William appearing on the alerts.csv file. However, this query lookups everyone and keep them in the alerts.csv file on day2.

On Day3, because the query also finds Robert on Day2 (which was supposed to be deleted), therefore, it is not sending another alert. In this case, Robert's case is just like James who appears for 3-day straight because Splunk does not overwrite the alerts.csv and delete Robert on Day2. Please advise and please let me know if I am wrong!

Very respectfully,

Long

Re: csv lookup for search query based on continuity and 7-day condition

ITWhisperer — Fri, 30 Jul 2021 07:35:23 GMT

What are the results of just the index search on day 2?