Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create an alert that is triggered if a source type exists in a lookup table?

soumyacharya91
Path Finder
‎10-09-2018 07:02 AM

I want to create an alert that triggers when a source type doesn't exist in a lookup table (e.g. srctype.csv). But I'm not sure how to create the search string for this. The fields I'm using in the srctype.csv lookup table is source type as follows:

If the source type matches a source type listed in the table, the alert should triggered. Any help on how to do this are much appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

KailA
Contributor
‎10-09-2018 08:28 AM

Hello :),

You can try something like that :

index=foo 
| stats count by sourcetype
| inputlookup append=true srctype.csv
| stats count by sourcetype
| where count > 1

That should return you the sourcetype present in the index AND in the lookup
Let me know.

KailA

View solution in original post

Reply
Solved! Jump to solution
Solution

KailA
Contributor
‎10-09-2018 08:28 AM

Hello :),

You can try something like that :

index=foo 
| stats count by sourcetype
| inputlookup append=true srctype.csv
| stats count by sourcetype
| where count > 1

That should return you the sourcetype present in the index AND in the lookup
Let me know.

KailA

Reply
Solved! Jump to solution

soumyacharya91
Path Finder
‎10-12-2018 01:39 AM

Thanks,

This code have done the job with a minor change, i.e |where count=1. using this we can get all the remaining fields which are not available.

0 Karma
Reply
Solved! Jump to solution

KailA
Contributor
‎10-12-2018 06:31 AM

I thought you wanted the sourcetype present in the index and the lookup but glad that help you 🙂

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎10-09-2018 07:53 AM

Please try below query ,

index=foo |stats count by sourcetype|join type=outer sourcetype [|inputlookup srctype.csv| eval x=1] | where isnull(x)

This will give you all sourcetype from index foo and the field x with value 1 wherever the lookup has sourcetype else the value of x will be null if the particular sourcetype does not exist in lookup.

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎10-09-2018 07:25 AM

without knowing the dataset for sourcetypes you're looking at, something like this might work:

index=foo |stats count by sourcetype|join sourcetype [|inputlookup srctype.csv]

and alert if the results are greater than 0

0 Karma
Reply
Solved! Jump to solution

soumyacharya91
Path Finder
‎10-09-2018 07:47 AM

Actually I need the values which are not matched from the lookup table.

In this query I think, It is matching and publishing the result of current match instead of the values which are not matched with the lookup table. I need to trigger the alert if that not match is present only.

I tried below query also but I'm getting the same result as yours.

index=foo
| lookup srctype.csv sourcetype OUTPUT sourcetype as sourcetype

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...