Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Stop alert query execution if a specific event log is detected

pkumar2
Explorer
‎06-29-2020 10:40 AM

if In Source data log, I get an event -18 May 2020 17:46:51,623 [13] INFO  BWT - BWT - Mura Map - Accepted

Then the main query execution should not execute.

source="c:\\program files (x86)\\prysm\\servo\\logs\\vegaservo.log" "PcalLogger - LaserNits" earliest=-7d@d latest=now Tile PA = Low |stats max(VAL) AS max , min(VAL) AS min by Laser, TILE,host | eval delta_diff = max - min | fields host,Laser, TILE, max, min,delta_diff | where delta_diff > 6 | eval LE_Laser_Decay=TILE.":".Laser.":".delta_diff| stats values(LE_Laser_Decay) as LE_Laser_Decay by host | eval LE_Laser_Decay=mvjoin(LE_Laser_Decay,", ") |lookup Walls_Reference Host as host OUTPUTNEW Wall as wall Active as active | where active == 1 | table wall LE_Laser_Decay

 

 @to4kawa  How do i give a condition so that main execution does not execute if that log event is occurred.
 
 
Labels (2)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎06-30-2020 03:34 AM

I don't know the fields and the log, so it's hard to say.

0 Karma
Reply

pkumar2
Explorer
‎06-30-2020 10:43 AM

This is the log event.

17 May 2020 16:42:28,175 [43] INFO  BWT - BWT - Nits Ratio OK
17 May 2020 16:42:30,061 [13] INFO  BWT - BWT - Mura Map - Accepted
17 May 2020 16:59:32,722 [13] INFO  BWT - BWT - Wiper Tune OK
17 May 2020 17:46:51,525 [13] INFO  BWT - BWT - Mura Map - Accepted
17 May 2020 17:46:51,623 [13] INFO  BWT - BWT - Mura Map - Accepted
17 May 2020 17:49:16,118 [35] INFO  VegaServoLogger - In StartServo() - HTTP Response ServoName is: All
17 May 2020 17:49:16,118 [35] INFO  VegaServoLogger - In StartServoService(), Starting Servo. Name: All
17 May 2020 17:49:16,118 [35] INFO  VegaServoLogger - In AddServo - Adding: PCAL
17 May 2020 17:49:16,118 [35] INFO  VegaServoLogger - In AddServo - Adding: OnPanelReTiming
 
If the log event is triggered, the below alert should not execute. I need a way to add a condition to handle this.
----

My Search has the below format data.

A single host has multiple parameters consists of LED 1..to.20 for each TV and there are 24 TV's , The LED power paramerter has value say Max(val) 34.0 which is related to PA (power Amplitude) of Low/High, we only want search for PA = Low

Query :

source="c:\\program files (x86)\\xxxx" "PLogger" TV earliest=-2d@d latest=now PA = Low | stats max(VAL) by host, TV, LED, PA , _time | fields "host" "LED","PA", "TV", "max(VAL)" |

Result :

host LED PA TV Max (Val) _Time
03192610158 0 Low A1 48.863 2019-12-19 22:00:08.177
03192610158 0 Low A1 48.61 2019-12-20 22:00:08.140
031................. 1 Low A1 44.23 2019-12-19 22:00:08.177
031................. 1 Low A1 45.23 2019-12-20 22:00:08.177
|||||
|||||
031................. 19 Low A1 49.23 2019-12-19 22:00:08.177
031................. 19 Low A1 50.23 2019-12-20 22:00:08.177
|||||
|||||
031................. 1 Low A2 52.23 2019-12-19 22:00:08.177
031................. 1 Low A2 53.73 2019-12-20 22:00:08.177

AND Continues for the same host and for each TV and its LED's of 20.

Now I need to calculate the percentage difference of LED 1 2..till..19 for each TV ( A1 ---A24) and raise and Alert for any LED's if they drop by 5%.

This is the Splunk query I use:

Now i do not want a alert to generate if i get the parameter in the logs. Need to add a condition within query and i am not able to get it to work.

17 May 2020 17:46:51,525 [13] INFO  BWT - BWT - Mura Map - Accepted
17 May 2020 17:46:51,623 [13] INFO  BWT - BWT - Mura Map - Accepted

source="c:\\program files (x86)\\prysm\\servo\\logs\\vegaservo.log" "PcalLogger - LaserNits" earliest=-7d@d latest=now Tile PA = Low |stats max(VAL) AS max , min(VAL) AS min by Laser, TILE,host | eval delta_diff = max - min | fields host,Laser, TILE, max, min,delta_diff | where delta_diff > 6

 

0 Karma
Reply

to4kawa
Ultra Champion
‎06-30-2020 02:37 PM

source="c:\\program files (x86)\\prysm\\servo\\logs\\vegaservo.log" "PcalLogger - LaserNits" earliest=-7d@d latest=now Tile PA = Low | eval flag=if(searchmatch("Mura Map"),1,0)

|stats sum(flag) as flag max(VAL) AS max , min(VAL) AS min by Laser, TILE,host | eval delta_diff = max - min | fields host,Laser, TILE, max, min,delta_diff, flag| where delta_diff > 6 AND flag <1

0 Karma
Reply

anilchaithu
Builder
‎06-29-2020 11:13 AM

@pkumar2 

You can add eval condition to ingest the accepted event to the stats and later filter out.

sample Query:

eval accept = if(like(_raw, "%Mura%Map%Accepted%"), "Yes","No") | stats max(VAL) AS max , min(VAL) AS min values(accept) as accept by Laser, TILE,host | where accept="No"

Hope this helps!!!

0 Karma
Reply

pkumar2
Explorer
‎06-30-2020 12:32 AM

@anilchaithu  Hey thanks for reply, new to splunk here. I tried, looks like the condition is not working as expected. can you show me using the above main query on using the eval accept = if(like(_raw, "%Mura%Map%Accepted%"), "Yes","No") | stats max(VAL) AS max , min(VAL) AS min values(accept) as accept by Laser, TILE,host | where accept="No" in the main query, 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...