- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- How do you set an alert on a calculated field when...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you set an alert on a calculated field when it is impossible to do against the "base search"?
I am running a scanner that runs on hundreds of websites and provides a numerical score. Using autoregress, I compare the score against the last score. If it has changed since the last run, I mark A11y_changed to True. See below:
host="accessibility-scanner.foo.com" source="/var/log/lighthouse/lighthouse.log" sourcetype=lighthouse requestedUrl=*
| sort requestedUrl, _time
| dedup 2 requestedUrl
| reverse
| autoregress total__accessibility_score AS old_a11y_score p=1
| eval a11y_changed = if(total__accessibility_score!=old_a11y_score,"True","False")
| reverse
| dedup requestedUrl
| table _time requestedUrl total__accessibility_score old_a11y_score a11y_changed
I want to run the alert on Trigger Condition of a11y_changed="True" using "For each result"... meaning run the alert on each row of the table.
The documentation says an alert can only be 'Evaluated against the results of the base search.' SO, I won't have access to my calculated True/False field.
How do I set an alert on a calculated field that cannot be found in a base search?
Admittedly I'm still pretty new to Splunk... but, I think my albeit convoluted search is the only way I can get to the results I need into one row each. I'm tracking hundreds of sites. I can't make an alert for each one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The term "base search" may be confusing you here. An alert can be keyed off of any field that is returned by the underlying search. It doesn't have to be a "base search" in a dashboard or anything like that.
The search that your alert runs off should return only events where a11y_changed is true, and should return the url as well. Your "for each results" limit will be based on the url.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@renjith.nair and @DalJeanis thanks for your idea and explanation. It worked and I understand now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kingb00, which documentation you are referring to which says alert condition has to be from base search result.
You should be able to create alert on eval fields as well. In your case , add a custom alert with a condition
where a11y_changed="True" and enable it for each result.
What goes around comes around. If it helps, hit it with Karma 🙂
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
