Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert Trigger Condition - Alert only if second string is not present

pierrem
Engager
‎05-09-2022 01:37 AM

Hi All, 

I'm currently trying to configure a alert to trigger when 2 events are NOT present in last 15min. 
In short if we have only Event1 but not Event2 then a alert should be triggered, if both events are present in last 15min then no alerts should be triggered. 

Use case, the alert is being configured to alert us when a VPN tunnel interface goes down and stays down for more than 15min, generally these VPN connections to terminate briefly but comes back up after a few seconds, hence we would like only alert if Event1 (down) took place in last 15min without Event2 (up) taking place. 

Event1 - Search query

index=firewall 10.10.10.10 Firewall_Name_XYZ=TEST123 AND "Lost Service"



Event2 - Search query 

index=firewall 10.10.10.10 Firewall_Name_XYZ=TEST123 AND (inbound "LAN-to-LAN" "created")



Search Query to show both events 

index=firewall 10.10.10.10 Firewall_Name_XYZ=TEST123 AND ("Lost Service" OR (inbound "LAN-to-LAN" "created"))



Any assistance will be greatly appreciated 🙂 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-09-2022 01:52 AM

You could try something like this

index=firewall 10.10.10.10 Firewall_Name_XYZ=TEST123 AND ("Lost Service" OR (inbound "LAN-to-LAN" "created"))
| rex "(?<event>Lost Service)"
| fillnull value="inbound created" event
| stats latest(event) as lastevent latest(_time) as lasttime
| where lastevent = "Lost Service" AND lasttime < now()-15*60

View solution in original post

Reply
Solved! Jump to solution

pierrem
Engager
‎05-11-2022 03:34 AM

Thanks ITWhisperer 

It works like a charm, I just removed the lasttime statement as the alert is configured to run in a cron schedule searching last 15min 🙂 

Thanks for the quick assistance 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-09-2022 01:52 AM

You could try something like this

index=firewall 10.10.10.10 Firewall_Name_XYZ=TEST123 AND ("Lost Service" OR (inbound "LAN-to-LAN" "created"))
| rex "(?<event>Lost Service)"
| fillnull value="inbound created" event
| stats latest(event) as lastevent latest(_time) as lasttime
| where lastevent = "Lost Service" AND lasttime < now()-15*60
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...