Alerting

How do you trigger an alert based on a parameter from a different alert?

Explorer

Hello, I am new to Splunk and i have a little problem with making an alert

So i want to trigger an alert when I don't find any rows before 10:00AM that day

The search looks like this

index = auth "File has been processed"
| eval mytime=strftime(_time, "%Y-%m-%d") 

And it woud be simple if it could trigger every day. Unfortunately i need to check if the day the alert should trigger is in another log (trigger if the date is same)

To get that date i use that query (INDATE is yyyy-mm-dd)

index=auth Add.N.Days |rex "<retdate>(?<INDATE>.*)</retdate>" 

So basically i need to check if first search finds anything until 10:00 AM and if not, then trigger an alert but only if the INDATE is the same as the "mytime" from first query. Any suggestions?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Use this as an alert search. The subsearch will return INDATE as current date when index=auth query doesn't return any results (you need to add proper time range to the subsearch). It'll return DummyWillNotMatch if the index=auth has data, so it'll not match with Add.N.Days. You alert condition should be number of events greater than 0.

index=auth Add.N.Days | rex "<retdate>(?<INDATE>.*)</retdate>" 
| search [search index = auth "File has been processed" | eval INDATE="DummyWillNotMatch" | appendpipe [| stats count | where count=0 | eval INDATE=strftime(now(), "%Y-%m-%d") | stats values(INDATE) as INDATE ]

View solution in original post

SplunkTrust
SplunkTrust

Use this as an alert search. The subsearch will return INDATE as current date when index=auth query doesn't return any results (you need to add proper time range to the subsearch). It'll return DummyWillNotMatch if the index=auth has data, so it'll not match with Add.N.Days. You alert condition should be number of events greater than 0.

index=auth Add.N.Days | rex "<retdate>(?<INDATE>.*)</retdate>" 
| search [search index = auth "File has been processed" | eval INDATE="DummyWillNotMatch" | appendpipe [| stats count | where count=0 | eval INDATE=strftime(now(), "%Y-%m-%d") | stats values(INDATE) as INDATE ]

View solution in original post

Explorer

Love it! Thank you

0 Karma

Legend

Hi Ponczi1,
at first if you haven't any event you canot use _time in mytime, so, try something like this:

index=auth "File has been processed"
| append [ search index=_internal | head 1 | eval mytime=strftime(now(), "%Y-%m-%d")]
| stats values(mytime) AS mytime count
| where count=1
| append [ search index=auth Add.N.Days | rex "<retdate>(?<INDATE>.*)</retdate>" ]
| where mytime=INDATE
| table mytime

Bye.
Giuseppe