Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create an alert that will search for two separate string values with the OR condition inside the search?

Curiuu
Engager
‎01-25-2023 06:08 AM

I'm creating an alert that will search for two separate string values with the OR condition inside the search. Is there a way to setup the alert condition to fire for 'If the second event is not found within 5 minutes of the first event, fire the alert.'?  The events happen anytime within a 6 hour window, so having it search every 5 minutes for a count under 2 would fire alerts constantly.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-25-2023 07:40 AM

Try this running over the previous 10 minutes (or longer).

<search string1 or string2>
``` Ensure events in chronological order ```
| sort 0 _time
``` Get timeframe of search ```
| addinfo
``` Capture time of event if string 1 present (however you determine that) ```
| eval string1_time=if(<string1 in event>, _time, null())
``` Capture time of event if string 2 present (however you determine that) and after the first 5 minutes ```
| eval string2_time=if(<string2 in event> AND _time >= info_min_time + 300, _time, null())
``` Track latest times of string 1 through the event stream ```
| streamstats max(string1_time) as last_string1_time
``` Mark string 2 events as not OK if no previous string 1 or if previous string 1 too far in the past ```
| eval NOK=if(isnotnull(string2_time), if(isnotnull(last_string1_time) AND string2_time - last_string1_time <= 300, 0, 1), null())
``` Remove timing for string 1 events if in last 5 minutes ```
| eval string1_time=if(isnotnull(string1_time) AND string1_time <= info_max_time - 300, string1_time, null())
``` Count bad string 2 events and get last string 1 time prior to last 5 minutes ```
| stats sum(NOK) as NOK max(string1_time) as last_string1_time
``` Alert condition (number of results > 0) if any bad string 2 events or no string 2 events but there were string 1 events prior to last 5 minutes ```
| where NOK > 0 OR (isnull(NOK) AND isnotnull(last_string1_time))

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-25-2023 07:40 AM

Try this running over the previous 10 minutes (or longer).

<search string1 or string2>
``` Ensure events in chronological order ```
| sort 0 _time
``` Get timeframe of search ```
| addinfo
``` Capture time of event if string 1 present (however you determine that) ```
| eval string1_time=if(<string1 in event>, _time, null())
``` Capture time of event if string 2 present (however you determine that) and after the first 5 minutes ```
| eval string2_time=if(<string2 in event> AND _time >= info_min_time + 300, _time, null())
``` Track latest times of string 1 through the event stream ```
| streamstats max(string1_time) as last_string1_time
``` Mark string 2 events as not OK if no previous string 1 or if previous string 1 too far in the past ```
| eval NOK=if(isnotnull(string2_time), if(isnotnull(last_string1_time) AND string2_time - last_string1_time <= 300, 0, 1), null())
``` Remove timing for string 1 events if in last 5 minutes ```
| eval string1_time=if(isnotnull(string1_time) AND string1_time <= info_max_time - 300, string1_time, null())
``` Count bad string 2 events and get last string 1 time prior to last 5 minutes ```
| stats sum(NOK) as NOK max(string1_time) as last_string1_time
``` Alert condition (number of results > 0) if any bad string 2 events or no string 2 events but there were string 1 events prior to last 5 minutes ```
| where NOK > 0 OR (isnull(NOK) AND isnotnull(last_string1_time))
Reply
Solved! Jump to solution

Curiuu
Engager
‎01-27-2023 08:49 AM

Got this to work, thank you so much!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...