Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I create an alert to generate and compare results on new values only?

Robbie1194
Communicator
‎02-07-2018 06:07 AM

I want to find out which UF's have stopped logging in my estate, and while I try fix these UF's, I don't want a daily alert with the same results.

I only want to see any alerts if it's different UF's that have stopped reporting, I don't want to see any old results with the new results either as it might get difficult to track what is resolved and what isn't.

The end result is that a separate alert is created every time a new forwarder stops logging. I know how to write the search to find missing forwarders, does anyone know how I should compare results to only generate on new values?

Cheers.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-07-2018 06:32 AM

Hi robbie1194,
you can find a solution to your need in DMC.

Anyway, to do something like you want I created a lookup (called perimeter.csv) containing all the forwarders in my perimeter (lookup has only one column called "host") and I check if I receive logs from each of them.
I run this search on _internal index every 5 minutes:

index=_internal 
| eval host=upper(host)
| stats count by host
| append [ | inputlookup perimeter.csv | eval host=upper(host), count=0 | fields host count ]
| stats sum(count) AS Total BY host
| where Total=0

In this way you have an alert that triggers all the forwarders in your perimeter that don't send logs every five minutes and you can intervene without compare today's results with yesterday's results.
You can also display the situation in a dashboard also in graphic mode.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...