topic Re: Change inputlookup to events in Splunk Search

Change outputlookup to events

jwhughes58 — Fri, 05 Jan 2024 18:29:52 GMT

Hi All,

The Bloodhound TA creates a KV store lookup. I've been asked to take the entries in the KV store and turn them into events. I've setup an alert, but I'm not seeing the alert fire. The SPL looks like this

| inputlookup path_principals_lookup | eval domain_id=if(isnull(domain_id), "NULL_domain_id", domain_id) | eval domain_name=if(isnull(domain_name), "NULL_domain_name", domain_name) | eval group=if(isnull(group), "NULL_Group", group) | eval non_tier_zero_principal=if(isnull(non_tier_zero_principal), "NULL_non_tier_zero_principal", non_tier_zero_principal) | eval path_id=if(isnull(path_id), "NULL_path_id", path_id) | eval path_title=if(isnull(path_title), "NULL_path_title", path_title) | eval principal=if(isnull(principal), "NULL_principal", principal) | eval tier_zero_principal=if(isnull(tier_zero_principal), "NULL_tier_zero_principal", tier_zero_principal) | eval user=if(isnull(user), "NULL_user", user) | dedup domain_id, domain_name, group, non_tier_zero_principal, path_id, path_title, principal, tier_zero_principal, user

I see statistics, but that doesn't fire the alert. Is there something I'm missing to turn the values in the kvstore into events to be alerted on?

TIA,

Joe

Re: Change outputlookup to events

dtburrows3 — Fri, 05 Jan 2024 19:30:56 GMT

When you say you have set up an alert, what are your configured Trigger Conditions and then the following Alert Actions that follow?
These can be found in the Edit Alert menu and looks like this.

Where does the outputlookup come into play here? I dont see it in you SPL shared but it is in the title.
From just the title of this question alone it sounds like you would like to gather results and instead of storing them in a lookup to send them to a summary index via alert_action or collect command.

But from the body of the question it sounds like you are just having issues seeing results of a scheduled search trigger an alert. If you run the search ad-hoc and are seeing results, then I would check Trigger conditions, the configured alert actions if the trigger conditions are met.
If those look good then I would check the ownership of the Alert itself and does the owner have access to the KVStore.

You should be able to look into internal logs about the status of previous runs as well with something like this.

index=_internal savedsearch_name="<alert_name>" | table _time, savedsearch_name, user, app, status, dispatch_time, run_time, result_count, alert_actions, action_time_ms

where <alert_name> is the name of your alert.

I also noticed on your search that you had a lot of eval doing sort of the same function, I think a foreach loop might be useful here if you want to try it out.

| inputlookup path_principals_lookup | foreach domain_id, domain_name, group, non_tier_zero_principal, path_id, path_title, principal, tier_zero_principal, user [ | eval <<FIELD>>=if( isnull('<<FIELD>>'), "NULL_<<FIELD>>", '<<FIELD>>' ) ] | dedup domain_id, domain_name, group, non_tier_zero_principal, path_id, path_title, principal, tier_zero_principal, user

Re: Change inputlookup to events

jwhughes58 — Fri, 05 Jan 2024 19:43:19 GMT

The outputlookup should have been inputlookup. My brain slipped a gear when I was entering the Subject. I have corrected it. Here is what I have in the alert. I should give the foreach a try.

Re: Change outputlookup to events

jwhughes58 — Fri, 05 Jan 2024 19:51:39 GMT

Cool. Not quite as fast as the original method, but the difference is minuscule. I do like the fact that I don't have to repeat the same command. This is nice to know.

Re: Change inputlookup to events

dtburrows3 — Fri, 05 Jan 2024 20:28:13 GMT

Okay so I think since your trigger condition is

search count>0

It suspect is not firing because there is no field named 'count' for that to evaluate as true.

Can you try this setting instead? (it should be the same logic as intended)

As long as the KVStore has results in it, then your alert action should trigger every time the scheduler kick off the search.

Re: Change inputlookup to events

jwhughes58 — Fri, 05 Jan 2024 20:32:06 GMT

I've tried that and I didn't see anything. I tried it again and I still don't see the alert firing.

Re: Change inputlookup to events

dtburrows3 — Fri, 05 Jan 2024 20:39:47 GMT

Just a follow up, are you readjusting the cron schedule to fire soon after making the adjustment to test?
I'm not sure if an alert action will trigger by just doing an "Open in Search" or "Run" action from the UI. I think the scheduler may have to kick off the search for the alert actions to be applied. (unless using the "| sendalert command")

Re: Change inputlookup to events

jwhughes58 — Fri, 05 Jan 2024 21:00:49 GMT

I just changed the cron job. I was just running it from the UI. Once I did that, I started getting alerts. I need to do some more cleanup, but the problem is solved.

Re: Change inputlookup to events

dtburrows3 — Fri, 05 Jan 2024 21:01:59 GMT

Awesome! Glad you got it resolved!