Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Send alerts if only latest search result is different from previous searched results

wailoont
Engager
‎04-29-2019 02:28 AM

Hi,

I have a search query below :

sourcetype="XXX"  earliest=-1w@w latest=now | rex field=_raw "(?msi)(?<user_login>\{.+\}$)" | spath input=user_login 
| rex field=repo_name "^(?<repo_name>[^/]+)" | spath input=repo_name 
| stats  values(repo_name) as REPO_LIST dc(repo_name) AS DISTINCT_REPO by user_login | where  DISTINCT_REPO > 4  | sort  by DISTINCT_REPO desc

This query will generate results and send alert emails to admins if there is a result. However, we want to monitor this everyday, but we prefer to get alerts if the results for each alert are different. Currently, the results is same everyday. How to configure it to send alerts if only the results is different from previous sent alert ?

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-29-2019 10:55 PM

You need to dump the alert details (including _time = now() into a lookup with outputlookup and then only alert if that alert is the latest one in the lookup. You will also need to purge events in the lookup that are older than 24-hours old.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎04-29-2019 05:32 AM

This is a good use case for a summary index. All alert data should get sent to the summary index, you than create an alert over the summary index (Way faster too) which then compares the current result over the previous result

0 Karma
Reply

wailoont
Engager
‎05-02-2019 01:11 AM

Hi skoelpin,

Do you have any examples of using a summary index? Sorry i am new to Splunking. 🙂

Thanks.

0 Karma
Reply

vishaltaneja070
Motivator
‎04-29-2019 03:46 AM

Hello @wailoont

The best approach I can think of is a lookup in this. You have to create two searches.
1. One which will add the result to lookup table.
2. To compare result with lookup table.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎04-29-2019 05:31 AM

Lookups won't scale well overtime. You'd have to have a process to add and purge old data or else the lookup will get too large and be unusable

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...