Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a unique value on 0 event searches?

vishalduttauk
Communicator
‎10-14-2022 06:39 AM

I have a search which triggers an alert if an event hasn't be received by 6.20 am. That alert works fine but it needs to send data into another system. That system needs a unique id within it's Key field.

key=$result._time$ won't work as the event doesn't exist.

Is there a way to add a unique value into that key field on an event that doesn't exist?

The search is:

sourcetype=Batch OR sourcetype=ManualBatch "Step 'CleanupOldRunlogs' finished with status SUCCESS"

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vishalduttauk
Communicator
‎10-18-2022 01:09 AM

I managed to find a solution which is to use $job.latestTime$ instead. I have applied this to all our alerts now.

 

This is where I got the idea from: https://community.splunk.com/t5/Dashboards-Visualizations/Setting-job-earliestTime-and-job-latestTim...

View solution in original post

Reply
Solved! Jump to solution
Solution

vishalduttauk
Communicator
‎10-18-2022 01:09 AM

I managed to find a solution which is to use $job.latestTime$ instead. I have applied this to all our alerts now.

 

This is where I got the idea from: https://community.splunk.com/t5/Dashboards-Visualizations/Setting-job-earliestTime-and-job-latestTim...

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2022 06:52 AM

This is a job for appendpipe.  The appendpipe command runs commands against the current results and, among other things, lets you give values to fields when there are no results.

sourcetype=Batch OR sourcetype=ManualBatch "Step 'CleanupOldRunlogs' finished with status SUCCESS"
| appendpipe [ stats count | eval key="foo" | where count=0 | fields - count ]

Here, appendpipe checks how many results there are and sets a value for the key field.  That value is shown only if count is zero.  Finally, the count field is discarded.

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

vishalduttauk
Communicator
‎10-14-2022 07:15 AM

Thanks @richgalloway 

Is there a way to make the value for key unique. i.e. the alert could be triggered today and tomorrow but i want each value to be different

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2022 08:09 AM

You could set key to the current time.

sourcetype=Batch OR sourcetype=ManualBatch "Step 'CleanupOldRunlogs' finished with status SUCCESS"
| appendpipe [ stats count | eval key=now() | where count=0 | fields - count ]
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

johnhuang
Motivator
‎10-14-2022 08:07 AM

You can set the key to the current timestamp.

| eval key=strftime(now(), "%Y-%m-%d %H:%M:%S")
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-14-2022 09:41 AM

I'd say whenever you can, store the time as a numeric timestamp, not as string. It's easier to manipulate, and you don't have to waste resources to parse it.

Reply
Solved! Jump to solution

johnhuang
Motivator
‎10-14-2022 12:31 PM

Epoch time works but it depends if you want it to be human readable or not on the 3rd party system.

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-14-2022 12:48 PM

Sure. In this case rendering the value to text seems to be a bit of an overkill. And it's always cheaper to render a timestamp to a string than to parse a string to a timestamp.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...