Alerting

How do I create an alert that is triggered if a source type exists in a lookup table?

soumyacharya91
Path Finder

I want to create an alert that triggers when a source type doesn't exist in a lookup table (e.g. srctype.csv). But I'm not sure how to create the search string for this. The fields I'm using in the srctype.csv lookup table is source type as follows:

If the source type matches a source type listed in the table, the alert should triggered. Any help on how to do this are much appreciated.

0 Karma
1 Solution

KailA
Contributor

Hello :),

You can try something like that :

index=foo 
| stats count by sourcetype
| inputlookup append=true srctype.csv
| stats count by sourcetype
| where count > 1

That should return you the sourcetype present in the index AND in the lookup
Let me know.

KailA

View solution in original post

KailA
Contributor

Hello :),

You can try something like that :

index=foo 
| stats count by sourcetype
| inputlookup append=true srctype.csv
| stats count by sourcetype
| where count > 1

That should return you the sourcetype present in the index AND in the lookup
Let me know.

KailA

soumyacharya91
Path Finder

Thanks,

This code have done the job with a minor change, i.e |where count=1. using this we can get all the remaining fields which are not available.

0 Karma

KailA
Contributor

I thought you wanted the sourcetype present in the index and the lookup but glad that help you 🙂

0 Karma

Vijeta
Influencer

Please try below query ,

index=foo |stats count by sourcetype|join type=outer sourcetype [|inputlookup srctype.csv| eval x=1] | where isnull(x)

This will give you all sourcetype from index foo and the field x with value 1 wherever the lookup has sourcetype else the value of x will be null if the particular sourcetype does not exist in lookup.

0 Karma

cmerriman
Super Champion

without knowing the dataset for sourcetypes you're looking at, something like this might work:

index=foo |stats count by sourcetype|join sourcetype [|inputlookup srctype.csv]

and alert if the results are greater than 0

0 Karma

soumyacharya91
Path Finder

Actually I need the values which are not matched from the lookup table.

In this query I think, It is matching and publishing the result of current match instead of the values which are not matched with the lookup table. I need to trigger the alert if that not match is present only.

I tried below query also but I'm getting the same result as yours.

index=foo
| lookup srctype.csv sourcetype OUTPUT sourcetype as sourcetype

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...