Alerting

How to create a unique value on 0 event searches?

vishalduttauk
Path Finder

I have a search which triggers an alert if an event hasn't be received by 6.20 am. That alert works fine but it needs to send data into another system. That system needs a unique id within it's Key field.

key=$result._time$ won't work as the event doesn't exist.

Is there a way to add a unique value into that key field on an event that doesn't exist?

The search is:

sourcetype=Batch OR sourcetype=ManualBatch "Step 'CleanupOldRunlogs' finished with status SUCCESS"

Labels (2)
0 Karma
1 Solution

vishalduttauk
Path Finder

I managed to find a solution which is to use $job.latestTime$ instead. I have applied this to all our alerts now.

 

This is where I got the idea from: https://community.splunk.com/t5/Dashboards-Visualizations/Setting-job-earliestTime-and-job-latestTim...

View solution in original post

vishalduttauk
Path Finder

I managed to find a solution which is to use $job.latestTime$ instead. I have applied this to all our alerts now.

 

This is where I got the idea from: https://community.splunk.com/t5/Dashboards-Visualizations/Setting-job-earliestTime-and-job-latestTim...

richgalloway
SplunkTrust
SplunkTrust

This is a job for appendpipe.  The appendpipe command runs commands against the current results and, among other things, lets you give values to fields when there are no results.

sourcetype=Batch OR sourcetype=ManualBatch "Step 'CleanupOldRunlogs' finished with status SUCCESS"
| appendpipe [ stats count | eval key="foo" | where count=0 | fields - count ]

Here, appendpipe checks how many results there are and sets a value for the key field.  That value is shown only if count is zero.  Finally, the count field is discarded.

 

---
If this reply helps you, Karma would be appreciated.

vishalduttauk
Path Finder

Thanks @richgalloway 

Is there a way to make the value for key unique. i.e. the alert could be triggered today and tomorrow but i want each value to be different

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You could set key to the current time.

sourcetype=Batch OR sourcetype=ManualBatch "Step 'CleanupOldRunlogs' finished with status SUCCESS"
| appendpipe [ stats count | eval key=now() | where count=0 | fields - count ]
---
If this reply helps you, Karma would be appreciated.

johnhuang
Motivator

You can set the key to the current timestamp.

| eval key=strftime(now(), "%Y-%m-%d %H:%M:%S")

PickleRick
SplunkTrust
SplunkTrust

I'd say whenever you can, store the time as a numeric timestamp, not as string. It's easier to manipulate, and you don't have to waste resources to parse it.

johnhuang
Motivator

Epoch time works but it depends if you want it to be human readable or not on the 3rd party system.

PickleRick
SplunkTrust
SplunkTrust

Sure. In this case rendering the value to text seems to be a bit of an overkill. And it's always cheaper to render a timestamp to a string than to parse a string to a timestamp.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...