https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203315#M59081 <P>It does work with or without the initial pipe. The inputlookup on regular search needs a pipe, so I got the habit of putting that anyways. </P> Thu, 03 Sep 2015 15:04:36 GMT somesoni2 2015-09-03T15:04:36Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203306#M59072 <P>We have a network load balancer (NLB) that generates syslog messages when servers fail to respond to health probes from the NLB. The message looks like this:</P> <PRE><CODE> Sep 1 20:20:22 HostA VirtualContextA: %ACE-3-251008: Health probe failed for server 10.10.10.10 on port 443... </CODE></PRE> <P>I have a field extraction that pulls out the IP address and port number and creates the fields <STRONG>server_address</STRONG> and <STRONG>port</STRONG>. I would like to generate alerts (emails) when these messages are seen. However, I do not want the alerts to be generated if the servers are undergoing maintenance. I have a CSV file (inmaint.csv) that has a list of servers that are undergoing maintenance. The CSV file has the columns 'IP_address' and 'Caption' where 'Caption' is the server name.</P> <P>My base search is: <CODE>index=network "Health probe failed for server"</CODE></P> <P>How do I add a lookup to this search to check the CSV file and determine whether a server is in maintenance? <BR /> Effectively, I want to suppress alerting for servers that are in the CSV file.</P> <P>"If <STRONG>server_address</STRONG> is present in the lookup file, don't alert."</P> <P>I'm quite confused about when to use lookup, inputlookup, subsearch, etc. I know WHAT I want to achieve, but can't figure out HOW. Please let me know if any of it's unclear.</P> Wed, 02 Sep 2015 00:49:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203306#M59072 mjshoaf 2015-09-02T00:49:39Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203307#M59073 <P>Assuming that both your data and the lookup have the same field name for the ip try this:</P> <PRE><CODE> index=network "Health probe failed for server" | append [|inputlookup my_lookupfile.csv ] | stats count by ip | where count = 1 </CODE></PRE> <P>If the field names are different just use <CODE>|rename</CODE> Command to rename one of the fields to be the same as the other.</P> Wed, 02 Sep 2015 02:31:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203307#M59073 diogofgm 2015-09-02T02:31:13Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203308#M59074 <P>Hi mjshoaf,</P> <P>take a look at this answer <A href="http://answers.splunk.com/answers/289318/how-do-i-disable-monitoring-on-a-server-for-a-cert.html">http://answers.splunk.com/answers/289318/how-do-i-disable-monitoring-on-a-server-for-a-cert.html</A> , it gives various methods to achieve what you want.</P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Wed, 02 Sep 2015 02:37:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203308#M59074 MuS 2015-09-02T02:37:46Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203309#M59075 <P>I don't understand what 'append' does. It seems like that would add results to my original results. I want to filter my original results and end up with a subset (i.e., just the ones that appy to servers that are not undergoing maintenance).</P> Wed, 02 Sep 2015 12:45:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203309#M59075 mjshoaf 2015-09-02T12:45:17Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203310#M59076 <P>Yeah, this is the right idea, but my CSV is based on the results of a lookup to an external database. I can't control what columns are present in the CSV. My search simply needs to be able to check for the presence of <STRONG>server_address</STRONG> in the CSV.</P> <P>If <STRONG>server_address</STRONG> is present in the CSV, don't alert. Otherwise, alert.</P> Wed, 02 Sep 2015 12:47:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203310#M59076 mjshoaf 2015-09-02T12:47:40Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203311#M59077 <P>Try this :</P> <P>your base search | search NOT [ | inputcsv yourcsvholdingserver_address.csv | table server_address ] | ...</P> <P>This must be done in all your alerts or set it up as automatic lookup which will result in a new field (maybe call it <CODE>alerts=disabled</CODE>) and you can use it in your alerts like <CODE>your base search NOT alert=disabled | ...</CODE></P> <P>I hope this makes some sense ...</P> Tue, 29 Sep 2020 07:10:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203311#M59077 MuS 2020-09-29T07:10:16Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203312#M59078 <P>Try something like this</P> <P><STRONG>Updated the extra punctuations</STRONG></P> <PRE><CODE>index=network "Health probe failed for server" NOT [|inputlookup inmaint.csv | table IP_address | rename IP_address as server_address ] </CODE></PRE> <P>This will take all the IP_address present in the lookup, (rename it as server_address) and exclude them from your base search, so you'll not be alerted on the same.</P> Tue, 29 Sep 2020 07:10:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203312#M59078 somesoni2 2020-09-29T07:10:19Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203313#M59079 <P>Yes, thank you.</P> Thu, 03 Sep 2015 13:29:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203313#M59079 mjshoaf 2015-09-03T13:29:23Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203314#M59080 <P>Fantastic! This achieves the goal. I just had to remove the odd punctuation so it looks like this:</P> <PRE><CODE> index=network "Health probe failed for server" NOT [|inputlookup inmaint.csv | table IP_address | rename IP_address as server_address] </CODE></PRE> <P>Question: Does the initial '|' in the sub-search serve a purpose? It seems to work with or without it?</P> Thu, 03 Sep 2015 14:10:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203314#M59080 mjshoaf 2015-09-03T14:10:58Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203315#M59081 <P>It does work with or without the initial pipe. The inputlookup on regular search needs a pipe, so I got the habit of putting that anyways. </P> Thu, 03 Sep 2015 15:04:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203315#M59081 somesoni2 2015-09-03T15:04:36Z https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203316#M59082 <P>This one was simple conceptually, but I was really having a hard time with the syntax. Thank you very much for the assist with this!</P> Thu, 03 Sep 2015 15:14:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-a-lookup-file-to-suppress-alerts/m-p/203316#M59082 mjshoaf 2015-09-03T15:14:22Z