Re: Custom alert based on inputlookup table not se...

esmonder · ‎05-03-2018

I have several inputlookup tables that are updated on a frequent basis and i want to detect new cases based on several conditions. However since the inputlookup tables have no default _time field, i created a Time field to act as a timestamp based on a time field (date_last) in the table. My code:

| inputlookup mylookup.csv where <conditions>
| eval _time=strptime(date_last, "%Y-%m-%dT%H:%M:%S.000Z")
| sort _time 
| addinfo 
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
| eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S")
| table Time, srcip, org, source

However, the above is not sending any alerts and i am wondering whether inputlookups are able to do so?

woodcock · ‎05-04-2018

The events that come from inputlookup are no different than any others in any way that matters. The only thing that looks potentially limiting is that you should be using sort 0 _time instead of sort _time but that's a long shot and unlikely to be your problem. It all depends on your actual data.

xpac · ‎05-03-2018

What is your alert condition?

esmonder · ‎05-03-2018

just searching for events within a country

Custom alert based on inputlookup table not sending alerts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation