Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

And condition

Pravinsugi
Path Finder
‎12-03-2023 06:01 AM

I have below message in the splunk log

 

Ex : s1 event has been received for customer 15778

S2 event has been received for customer 15778

S3 event has been received for customer 15778

 

I want to check all S1,S2,S3 event has been received message present in the particular customer.i used AND condition but not able to achieve.plesse help me on this.

As per my scenario,if i have 1 lakhs customer, i want to check for all 3 events has been received mesage is present in the splunk log for one particular customer.if not present all 3 mesage i need to set up alert.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-03-2023 07:09 AM

Assuming customer and event have already been extracted

| stats values(event) as events by customer
| where NOT (events = "s1" AND events = "s2" AND events = "s3")
0 Karma
Reply

Pravinsugi
Path Finder
‎12-03-2023 07:22 AM

How to extract customer number ?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-03-2023 07:24 AM 
| rex "customer (?<customer>\d+)"
0 Karma
Reply

Pravinsugi
Path Finder
‎12-03-2023 07:29 AM

I have below query .how to include into result query.pls advise

 

 

Need to include this one into result query

| stats values(event) as events by customer | where NOT (events = "s1" AND events = "s2" AND events = "s3")

Result query:

(index=1 sourcetype="abc" "s1 event received" and "s2 event received" and "s3 event received") OR (index=2 sourcetype="xyz" "created") | rex "(?<e_type>s.) event received for (?<customer>\d+)" | rex "(?<created>created) for (?<customer>\d+)" | stats max(eval(if(e_type="s3",_time, null()))) as last_e_type max(eval(if(created="created", _time, null()))) as created_time dc(e_type) as e_types values(created) as created by customer | addinfo | where e_types=3 AND (created_time-last_e_type > 300 OR (isnull(created_time) AND info_max_time - last_e_type > 300)

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-03-2023 07:37 AM

It depends on what you are trying to do since this search seems to be the opposite of what you had previously said you were trying to do.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-03-2023 07:04 AM

The AND operator works within a single event.  To combine multiple events you need to use an aggregating command.  Assuming the customer number has been extracted into a field called "customer" then this will trigger an alert if any customer does not have all three events.

<<some search for S1, S2, and S3>>
| stats count by customer
| where count < 3

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Pravinsugi
Path Finder
‎12-03-2023 07:22 AM

How to extract customer number from the event .pls advise 

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...