Alerting

How to create an alert to check for only selected Id's within one query

saitejagayala
New Member

I have to create an alert with 2 conditions
Condition 1: If computer Id is not present, then it should trigger an alert.
Condition 2: It should check only for selected computer Id(s).

For Example:
I want to search only for Computer Id(s) 1001, 1003, 1007, 1008.......etc. So, what I did is. I created a CSV lookup file and appended lookup(In the query) and created an alert with "Trigger Condition as "Number of results < 1".

**TRIED WITH QUERY**
index = abc Computerdata
| rex field=_raw "(?ms)^(?:[^\\\\\\n]*\\\\){10}\":(?P\\d+)"
| lookup compIDlookup.csv computerId OUTPUT computerId

NOTE: Computer Id is not a field. So, I extracted with rex and then I am applying lookup to the extracted field(computer Id)

OUTPUT(what I'm getting) :
Even if one computer Id data is present, It's not checking other computer Id(s) as per the given condition.

EXPECTED OUTPUT:
All I want is It should take each ID from the lookup and check, If computer Id data is not present, It should trigger an alert for each particular ID

Can anyone suggest a solution?
Thanks in Advance!!!

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@saitejagayala,

Try

 |inputlookup compIDlookup.csv |table computerId|eval isCsv=1 |append [index = abc Computerdata
 | rex field=_raw "(?ms)^(?:[^\\\\\\n]*\\\\){10}\":(?P\\d+)" |stats count by computerId|table computerId]
 | stats count ,max(isCsv) as isCsv by computerId|where count <2 AND isCsv=1

This should give you a list of computerId which are present in lookup file and not in events. Set the alert condition as Number of results > 0

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@saitejagayala,

Try

 |inputlookup compIDlookup.csv |table computerId|eval isCsv=1 |append [index = abc Computerdata
 | rex field=_raw "(?ms)^(?:[^\\\\\\n]*\\\\){10}\":(?P\\d+)" |stats count by computerId|table computerId]
 | stats count ,max(isCsv) as isCsv by computerId|where count <2 AND isCsv=1

This should give you a list of computerId which are present in lookup file and not in events. Set the alert condition as Number of results > 0

View solution in original post

0 Karma

saitejagayala
New Member

@renjith.nair

But, my requirement is not to display the ID's which are present in the lookup.
What, I am trying to do is, Lookup file consists of computer Id's,
For Instance,
Lets us consider 1001, 1003, 1007, 1008 are there in the lookup file. So, it should take each ID (i.e) 1001 and check whether that ID is present or not. If ID is not there in the events. Then alert should get activated.
Similarly it should check for other ID's and send an alert if ID is not present in the events.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@saitejagayala,
Thats what above search does. Have you tried that and what's missing in output?

Let's go though the search step by step

 |inputlookup compIDlookup.csv |table computerId|eval isCsv=1 

Result: A set of comupterIds which you want to compare against events and a dummy variable isCsv to identify that the records are from csv

  |append [index = abc Computerdata
  | rex field=_raw "(?ms)^(?:[^\\\\\\n]*\\\\){10}\":(?P\\d+)" |stats count by computerId|table computerId

Result: Append a list of computerIds which are present in your events to the first events

| stats count ,max(isCsv) as isCsv by computerId

Result: Count the number of records by the computerId (common in first(csv) and second(events) results

|where count <2 AND isCsv=1

Result: List of ids from input csv (isCsv=1) which has single occurance ,i.e. not present in events

Lets know if it does not work and what's missing.

0 Karma

saitejagayala
New Member

Thanks @renjith.nair
It happened with minor change. But count and isCsv are appearing in the table, which I don't need. When I'm trying to add

fields -isCsv

. Its affecting the whole results(unable to retrieve nothing).
Can you suggest on this?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@saitejagayala,
Try below as the last statement in your search and make sure the "space" between - and isCsv

fields - isCsv,count
0 Karma