Alerting

Stop alert query execution if a specific event log is detected

pkumar2
Explorer

if In Source data log, I get an event -18 May 2020 17:46:51,623 [13] INFO  BWT - BWT - Mura Map - Accepted

Then the main query execution should not execute.

source="c:\\program files (x86)\\prysm\\servo\\logs\\vegaservo.log" "PcalLogger - LaserNits" earliest=-7d@d latest=now Tile PA = Low |stats max(VAL) AS max , min(VAL) AS min by Laser, TILE,host | eval delta_diff = max - min | fields host,Laser, TILE, max, min,delta_diff | where delta_diff > 6 | eval LE_Laser_Decay=TILE.":".Laser.":".delta_diff| stats values(LE_Laser_Decay) as LE_Laser_Decay by host | eval LE_Laser_Decay=mvjoin(LE_Laser_Decay,", ") |lookup Walls_Reference Host as host OUTPUTNEW Wall as wall Active as active | where active == 1 | table wall LE_Laser_Decay

 

 @to4kawa  How do i give a condition so that main execution does not execute if that log event is occurred.
 
 
Labels (2)
0 Karma

to4kawa
Ultra Champion

I don't know the fields and the log, so it's hard to say.

0 Karma

pkumar2
Explorer

This is the log event.

17 May 2020 16:42:28,175 [43] INFO  BWT - BWT - Nits Ratio OK
17 May 2020 16:42:30,061 [13] INFO  BWT - BWT - Mura Map - Accepted
17 May 2020 16:59:32,722 [13] INFO  BWT - BWT - Wiper Tune OK
17 May 2020 17:46:51,525 [13] INFO  BWT - BWT - Mura Map - Accepted
17 May 2020 17:46:51,623 [13] INFO  BWT - BWT - Mura Map - Accepted
17 May 2020 17:49:16,118 [35] INFO  VegaServoLogger - In StartServo() - HTTP Response ServoName is: All
17 May 2020 17:49:16,118 [35] INFO  VegaServoLogger - In StartServoService(), Starting Servo. Name: All
17 May 2020 17:49:16,118 [35] INFO  VegaServoLogger - In AddServo - Adding: PCAL
17 May 2020 17:49:16,118 [35] INFO  VegaServoLogger - In AddServo - Adding: OnPanelReTiming
 
If the log event is triggered, the below alert should not execute. I need a way to add a condition to handle this.
----

My Search has the below format data.

A single host has multiple parameters consists of LED 1..to.20 for each TV and there are 24 TV's , The LED power paramerter has value say Max(val) 34.0 which is related to PA (power Amplitude) of Low/High, we only want search for PA = Low

Query :

source="c:\\program files (x86)\\xxxx" "PLogger" TV earliest=-2d@d latest=now PA = Low | stats max(VAL) by host, TV, LED, PA , _time | fields "host" "LED","PA", "TV", "max(VAL)" |

Result :

host LED PA TV Max (Val) _Time
03192610158 0 Low A1 48.863 2019-12-19 22:00:08.177
03192610158 0 Low A1 48.61 2019-12-20 22:00:08.140
031................. 1 Low A1 44.23 2019-12-19 22:00:08.177
031................. 1 Low A1 45.23 2019-12-20 22:00:08.177
|||||
|||||
031................. 19 Low A1 49.23 2019-12-19 22:00:08.177
031................. 19 Low A1 50.23 2019-12-20 22:00:08.177
|||||
|||||
031................. 1 Low A2 52.23 2019-12-19 22:00:08.177
031................. 1 Low A2 53.73 2019-12-20 22:00:08.177

AND Continues for the same host and for each TV and its LED's of 20.

Now I need to calculate the percentage difference of LED 1 2..till..19 for each TV ( A1 ---A24) and raise and Alert for any LED's if they drop by 5%.

This is the Splunk query I use:

Now i do not want a alert to generate if i get the parameter in the logs. Need to add a condition within query and i am not able to get it to work.

17 May 2020 17:46:51,525 [13] INFO  BWT - BWT - Mura Map - Accepted
17 May 2020 17:46:51,623 [13] INFO  BWT - BWT - Mura Map - Accepted

source="c:\\program files (x86)\\prysm\\servo\\logs\\vegaservo.log" "PcalLogger - LaserNits" earliest=-7d@d latest=now Tile PA = Low |stats max(VAL) AS max , min(VAL) AS min by Laser, TILE,host | eval delta_diff = max - min | fields host,Laser, TILE, max, min,delta_diff | where delta_diff > 6

 

0 Karma

to4kawa
Ultra Champion

source="c:\\program files (x86)\\prysm\\servo\\logs\\vegaservo.log" "PcalLogger - LaserNits" earliest=-7d@d latest=now Tile PA = Low | eval flag=if(searchmatch("Mura Map"),1,0)

|stats sum(flag) as flag max(VAL) AS max , min(VAL) AS min by Laser, TILE,host | eval delta_diff = max - min | fields host,Laser, TILE, max, min,delta_diff, flag| where delta_diff > 6 AND flag <1

0 Karma

anilchaithu
Builder

@pkumar2 

You can add eval condition to ingest the accepted event to the stats and later filter out.

sample Query:

eval accept = if(like(_raw, "%Mura%Map%Accepted%"), "Yes","No") | stats max(VAL) AS max , min(VAL) AS min values(accept) as accept by Laser, TILE,host | where accept="No"

Hope this helps!!!

0 Karma

pkumar2
Explorer

@anilchaithu  Hey thanks for reply, new to splunk here. I tried, looks like the condition is not working as expected. can you show me using the above main query on using the eval accept = if(like(_raw, "%Mura%Map%Accepted%"), "Yes","No") | stats max(VAL) AS max , min(VAL) AS min values(accept) as accept by Laser, TILE,host | where accept="No" in the main query, 

 

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...