Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Send alerts if only latest search result is different from previous searched results

wailoont
Engager
‎04-29-2019 02:28 AM

Hi,

I have a search query below :

sourcetype="XXX"  earliest=-1w@w latest=now | rex field=_raw "(?msi)(?<user_login>\{.+\}$)" | spath input=user_login 
| rex field=repo_name "^(?<repo_name>[^/]+)" | spath input=repo_name 
| stats  values(repo_name) as REPO_LIST dc(repo_name) AS DISTINCT_REPO by user_login | where  DISTINCT_REPO > 4  | sort  by DISTINCT_REPO desc

This query will generate results and send alert emails to admins if there is a result. However, we want to monitor this everyday, but we prefer to get alerts if the results for each alert are different. Currently, the results is same everyday. How to configure it to send alerts if only the results is different from previous sent alert ?

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-29-2019 10:55 PM

You need to dump the alert details (including _time = now() into a lookup with outputlookup and then only alert if that alert is the latest one in the lookup. You will also need to purge events in the lookup that are older than 24-hours old.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎04-29-2019 05:32 AM

This is a good use case for a summary index. All alert data should get sent to the summary index, you than create an alert over the summary index (Way faster too) which then compares the current result over the previous result

0 Karma
Reply

wailoont
Engager
‎05-02-2019 01:11 AM

Hi skoelpin,

Do you have any examples of using a summary index? Sorry i am new to Splunking. 🙂

Thanks.

0 Karma
Reply

vishaltaneja070
Motivator
‎04-29-2019 03:46 AM

Hello @wailoont

The best approach I can think of is a lookup in this. You have to create two searches.
1. One which will add the result to lookup table.
2. To compare result with lookup table.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎04-29-2019 05:31 AM

Lookups won't scale well overtime. You'd have to have a process to add and purge old data or else the lookup will get too large and be unusable

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...