Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you make a real time alert for the first occurrence of an event?

agro1986001
Engager
‎01-09-2019 11:34 PM

Suppose I have events of user purchases

<pre>
eventName=purchase userId=1 time=1000 item=food price=100
eventName=purchase userId=1 time=1002 item=cloth price=200
eventName=purchase userId=1 time=1010 item=cloth price=150
eventName=purchase userId=99 time=1050 item=book price=200
</pre>

I would like to set a real time alert that informs me whether a user's FIRST EVER purchase has price >= 200

If I use normal search, I can just use "All time" with this query

<pre>
eventName=purchase | sort time | dedup userId | where price >= 200
</pre>

However, how do I efficiently implement the same thing using real time search? Something like

<pre>
eventName=purchase | ONLY PROCEED WHEN THIS IS THE FIRST ONE FOR THE USER | where price >= 200
</pre>

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2019 05:55 AM

You will need to maintain a lookup file of all the users who have ever made a purchase. Anyone making a purchase who is not in the lookup file must be a first-time purchaser. The lookup file (I call it 'purchasers.csv') will contain userId and at least one other field, perhaps 'time'.

eventName=purchase | where price >= 200 | lookup purchasers.csv userId OUTPUT time | where isnotnull(time)

Consider whether this really needs to be a real-time search. RT searches tie up a CPU on your search head and all indexers. They should be reserved for when an event must be responded to instantly and automatically.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2019 05:55 AM

You will need to maintain a lookup file of all the users who have ever made a purchase. Anyone making a purchase who is not in the lookup file must be a first-time purchaser. The lookup file (I call it 'purchasers.csv') will contain userId and at least one other field, perhaps 'time'.

eventName=purchase | where price >= 200 | lookup purchasers.csv userId OUTPUT time | where isnotnull(time)

Consider whether this really needs to be a real-time search. RT searches tie up a CPU on your search head and all indexers. They should be reserved for when an event must be responded to instantly and automatically.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

agro1986001
Engager
‎01-23-2019 05:26 AM

Thanks @richgalloway

But now the question becomes, how do I maintain such lookup using only Splunk?

My idea is to run a script on/before index and then somehow writes into Splunk's key value store. However I couldn't find info on how to make a custom script called on/before index. Any idea? Thanks

Related question is here: https://answers.splunk.com/answers/718386/run-a-python-script-on-or-before-index.html

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...