Alerting

How to create a unique value on 0 event searches?

vishalduttauk
Path Finder

I have a search which triggers an alert if an event hasn't be received by 6.20 am. That alert works fine but it needs to send data into another system. That system needs a unique id within it's Key field.

key=$result._time$ won't work as the event doesn't exist.

Is there a way to add a unique value into that key field on an event that doesn't exist?

The search is:

sourcetype=Batch OR sourcetype=ManualBatch "Step 'CleanupOldRunlogs' finished with status SUCCESS"

Labels (2)
0 Karma
1 Solution

vishalduttauk
Path Finder

I managed to find a solution which is to use $job.latestTime$ instead. I have applied this to all our alerts now.

 

This is where I got the idea from: https://community.splunk.com/t5/Dashboards-Visualizations/Setting-job-earliestTime-and-job-latestTim...

View solution in original post

vishalduttauk
Path Finder

I managed to find a solution which is to use $job.latestTime$ instead. I have applied this to all our alerts now.

 

This is where I got the idea from: https://community.splunk.com/t5/Dashboards-Visualizations/Setting-job-earliestTime-and-job-latestTim...

richgalloway
SplunkTrust
SplunkTrust

This is a job for appendpipe.  The appendpipe command runs commands against the current results and, among other things, lets you give values to fields when there are no results.

sourcetype=Batch OR sourcetype=ManualBatch "Step 'CleanupOldRunlogs' finished with status SUCCESS"
| appendpipe [ stats count | eval key="foo" | where count=0 | fields - count ]

Here, appendpipe checks how many results there are and sets a value for the key field.  That value is shown only if count is zero.  Finally, the count field is discarded.

 

---
If this reply helps you, Karma would be appreciated.

vishalduttauk
Path Finder

Thanks @richgalloway 

Is there a way to make the value for key unique. i.e. the alert could be triggered today and tomorrow but i want each value to be different

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You could set key to the current time.

sourcetype=Batch OR sourcetype=ManualBatch "Step 'CleanupOldRunlogs' finished with status SUCCESS"
| appendpipe [ stats count | eval key=now() | where count=0 | fields - count ]
---
If this reply helps you, Karma would be appreciated.

johnhuang
Motivator

You can set the key to the current timestamp.

| eval key=strftime(now(), "%Y-%m-%d %H:%M:%S")

PickleRick
SplunkTrust
SplunkTrust

I'd say whenever you can, store the time as a numeric timestamp, not as string. It's easier to manipulate, and you don't have to waste resources to parse it.

johnhuang
Motivator

Epoch time works but it depends if you want it to be human readable or not on the 3rd party system.

PickleRick
SplunkTrust
SplunkTrust

Sure. In this case rendering the value to text seems to be a bit of an overkill. And it's always cheaper to render a timestamp to a string than to parse a string to a timestamp.

Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...