Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Question around Alerts and Automation through Splunk

dnv007
Explorer
‎05-28-2020 12:22 AM

Hello!

I have multiple questions around the topic "Alerts" in Splunk. Here is what i am trying to achieve.. I am trying to automate a couple of Macros to run one after the other. For example:
1)My first Macro runs to extract data for a period of 6 months from another index(lets call this Complete_Data_index) into my new index( lets call it Data_Teir1)
2)My second macro runs on Data_Teir1, by generating additional fields along with the original fields as part of the results and collects it into a new index called Data_Tier2.
3)My third macro runs on the index Data_Tier2, where again it generates additional fields along with the original fields and the fields generated by Data_Tier2 as part of the results and collects it into a new index called Data_Tier3.

The requirement now is to generate logs that record if each macro run was successful,errorneous,partially successful etc. Basically to set up a logger to know what is happening at each stage of the Macro.

1)One of the questions I also had was with the feature "Trigger Conditions". If for some reason data was not collected onto Data_Tier1 from Complete_Data_index, and my "Trigger Condition" is set to Number of Results greater than 0.(refer screenshot). Will this trigger an alert to me indicating no data was collected?
alt text

2)Can all this be achieved just with Splunk or should I use Python to help me set up logging/loggers?

Please help and suggest!

Thanks in Advance!

Tags (1)
Preview file
23 KB
0 Karma
Reply

vessev
Path Finder
‎05-28-2020 03:03 AM

Hi dnv007,

the trigger condition you mentioned works this way:
If your Splunk query (for which you setup this alert) would find more than "0" events (or "results") the alert would be generated.
If you change "is greater that" to "is less than" and change the value to "1" then every time an alert is generated if no events for your Splunk query is found - depending on your "Alert type scheduled/real-time" and the chosen time.
But you can do a lot with alerts. For example you can set your "trigger alert when" to "custom" there you can check for field values and more.

For your log generating problem. Use a universal forwarder for windows/linux. You can monitor file paths and therefore logfiles on text basis. If your macro is able to generate a logfile or append something to a "main" logfile (f.e. windows: Applicaton log) you can pull this and send it to splunk.

BR vess

0 Karma
Reply

dnv007
Explorer
‎05-28-2020 04:27 AM

Thanks @vessev !

On your suggestion for the logs, I meant more of setting up a debugging log file for the Macros(that i have mentioned above) to understand if the macro din run or ran and gave partial results etc. I want to set up a logger to understand how macros that i have setup has functioned. Can i achieve all this with just Splunk and its features (that i dont know about) ? or Would it be better if i set up a logger file through Python?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...