Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Custom alert based on inputlookup table not sending alerts

esmonder
Path Finder
‎05-03-2018 07:31 PM

I have several inputlookup tables that are updated on a frequent basis and i want to detect new cases based on several conditions. However since the inputlookup tables have no default _time field, i created a Time field to act as a timestamp based on a time field (date_last) in the table. My code:

| inputlookup mylookup.csv where <conditions>
| eval _time=strptime(date_last, "%Y-%m-%dT%H:%M:%S.000Z")
| sort _time 
| addinfo 
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
| eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S")
| table Time, srcip, org, source

However, the above is not sending any alerts and i am wondering whether inputlookups are able to do so?

0 Karma
Reply

woodcock
Esteemed Legend
‎05-04-2018 12:07 AM

The events that come from inputlookup are no different than any others in any way that matters. The only thing that looks potentially limiting is that you should be using sort 0 _time instead of sort _time but that's a long shot and unlikely to be your problem. It all depends on your actual data.

Reply

xpac
SplunkTrust
SplunkTrust
‎05-03-2018 10:06 PM

What is your alert condition?

0 Karma
Reply

esmonder
Path Finder
‎05-03-2018 11:05 PM

just searching for events within a country

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...