https://community.splunk.com/t5/Splunk-Search/How-to-create-an-alert-based-on-lookup-file/m-p/589379#M205238 <P>You mean something like:</P><LI-CODE lang="markup">index=abc sourcetype=bcd “abc” [| inputlookup &lt;lookup-name&gt; | where latest==now() | appendpipe [| stats count | where count=0 | eval File_Name="when no match found in the lookup", earliest=0, latest=0] | table File_Name, earliest, latest ]</LI-CODE><P>&nbsp;</P><P>The <STRONG>appendpipe</STRONG> is the condition when nothing in the lookup matches the current time. If you can update that part as you wish in that case.</P> Wed, 16 Mar 2022 17:02:55 GMT VatsalJagani 2022-03-16T17:02:55Z https://community.splunk.com/t5/Splunk-Search/How-to-create-an-alert-based-on-lookup-file/m-p/589371#M205233 <P>Hi,</P> <P>I need to set up an alert with the query like below.</P> <LI-CODE lang="markup">index=abc sourcetype=bcd “abc” File_name=maple.txt earliest=2h@h latest=now</LI-CODE> <P>In the above query,the File_name,earliest &amp; latest time has to be picked up from the lookup file.<BR />Condition - if the current time matches with latest time in the lookup file,then the query has to be run for the respective File_name for that timerange(earliest and latest time mentioned in the lookup)</P> <P>The lookup table to be like below:</P> <P>File_name earliest latest<BR />Dfg.txt 2 4<BR />Dft.txt 5 6<BR />Ser.txt 5 7</P> Wed, 16 Mar 2022 16:32:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-an-alert-based-on-lookup-file/m-p/589371#M205233 prettysunshinez 2022-03-16T16:32:22Z https://community.splunk.com/t5/Splunk-Search/How-to-create-an-alert-based-on-lookup-file/m-p/589374#M205235 <P>How is this different to what you asked a couple of weeks ago, for which I provided an answer?</P> Wed, 16 Mar 2022 16:40:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-an-alert-based-on-lookup-file/m-p/589374#M205235 ITWhisperer 2022-03-16T16:40:12Z https://community.splunk.com/t5/Splunk-Search/How-to-create-an-alert-based-on-lookup-file/m-p/589379#M205238 <P>You mean something like:</P><LI-CODE lang="markup">index=abc sourcetype=bcd “abc” [| inputlookup &lt;lookup-name&gt; | where latest==now() | appendpipe [| stats count | where count=0 | eval File_Name="when no match found in the lookup", earliest=0, latest=0] | table File_Name, earliest, latest ]</LI-CODE><P>&nbsp;</P><P>The <STRONG>appendpipe</STRONG> is the condition when nothing in the lookup matches the current time. If you can update that part as you wish in that case.</P> Wed, 16 Mar 2022 17:02:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-an-alert-based-on-lookup-file/m-p/589379#M205238 VatsalJagani 2022-03-16T17:02:55Z