Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Alerts Against A CSV

paddy3883
Path Finder
‎11-26-2012 03:04 AM

I have a macro saved which takes 4 parameters and is of the form:

source="MySource" $EventValueFilter$ earliest=$Earliest$ | head _time limit=$Limit$ | stats avg(Timing) as Timing | where Timing >= $Duration$

Which essentially needs to filter events based on a certain attribute for a specified duration, optionally select a sub section of these, calculate the average Timing for that even (Timing is a defined integer value for the events filtered) and return a value when the average is above a certain threshold. Therefore I could call the following:

mymacro(LOGINSTEP, -4h, 0, 100)

which I would want to get the average time for events with LOGINSTEP in their text for the past 4 hrs and detect if this value was >= 100ms. What I would like to do is define a CSV file with a list of potential checks in a similar vein and have 1 alert which iterates over this file and reports on any relevant occurences e.g.


EventValueFilter,Earliest,Limit,Duration
LOGINSTEP,-1h,0,100
HOMEPAGE,-1h,5,50
SEARCHRESULTS,-5m,500

I have the lookup file/definition set up and the above macro so I was looking how I can use these two within a Search to alert me?

Tags (3)
0 Karma
Reply

jonuwz
Influencer
‎11-26-2012 05:28 AM

Untested, but 'inputcsv' and 'map' should be what you need

Lets assume your CSV is called alertcheck.csv and the significant field returned by mymacro is 'count'

The search would be along the lines of :

| inputcsv alertcheck.csv 
| map search="
    `mymacro(\"$EventValueFilter$\", \"$Earliest$\", \"$Limit$\", \"$Duration$\")`
    | eval EventValueFilter=\"$EventValueFilter$\"
    | eval Earliest=\"$Earliest$\"
    | eval Limit=\"$Limit$\"
    | eval Duration=\"$Duration$\"
" | table EventValueFilter Earliest Limit Duration count
0 Karma
Reply

jonuwz
Influencer
‎11-26-2012 08:32 AM

Hmm. Apologies for leading you up the garden path.
This might be a bug.
this has been reported before. macros dont seem to expand in 'map'

0 Karma
Reply

paddy3883
Path Finder
‎11-26-2012 07:56 AM

Yes, I put those in on my query, and another $ at the end of Duration in the parameter list, still can't understand why I get the message when I run the script, but executing the generated query displays the results?

0 Karma
Reply

jonuwz
Influencer
‎11-26-2012 07:49 AM

oops - need backticks around the macro - updated

0 Karma
Reply

paddy3883
Path Finder
‎11-26-2012 07:46 AM

Thanks for this, I've tried to get it working but something strange happening - when I run this:

| inputcsv Example.csv
| map search="mymacro($EventValueFilter$, $Earliest$, $Limit$, $Duration$)
| eval EventValueFilter=$EventValueFilter$
| eval Earliest=\"$Earliest$\"
| eval Limit=$Limit$
| eval Duration=$Duration$ "

I get the following message:

Unable to run query 'mymacro(LOGINSTEP, -1h, 0, 800) | eval EventValueFilter=LOGINSTEP | eval Earliest="-1h" | eval Limit=0 | eval Duration=800'.

However if I run the generated query above directly in a search then I get the results!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...