Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

consolidate the alert

logloganathan
Motivator
‎02-20-2019 04:48 AM

index=xyz host=a12fr* sourcetype = alert "A failed" OR "A success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")

index=xyz host=a12fr* sourcetype = alert "B failed" OR "B success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")

index=xyz host=a13fr* sourcetype = alert "B failed" OR "B success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")

index=xyz host=a13fr* sourcetype = alert "A failed" OR "A success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")

how to consolidate these alert to single alert?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-20-2019 05:49 AM

Like this:

index=xyz (host=a12fr* OR host=a13fr*) AND sourcetype = alert AND (("A failed" OR "A success") OR ("B failed" OR "B success"))
| eval which = case(searchmatch("\"A failed\" OR \"A success\""), "A", searchmatch("\"B failed\" OR \"B success\""), "B", true(), "ERROR")
| dedup host which
| eval diff=_time - now()
| where diff>=100 AND like(_raw, "%failed%")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-20-2019 05:54 AM

Perhaps I'm missing something, but have you tried the obvious?

index=xyz (host=a12fr* OR host=a13fr*) sourcetype = alert (("A failed" OR "A success") OR ("B failed" OR "B success"))
| eval my_time=_time, current=Now() 
| eval diff=current-my_time 
| where diff>=100 AND like(_raw, "%failed%")

It can be refined further to this:

index=xyz (host=a12fr* OR host=a13fr*) sourcetype = alert ("A failed" OR "B failed") latest=-100s
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎02-21-2019 02:47 AM

if get both failure and success then i not want to display

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-21-2019 05:11 AM

Then @woodcock has your answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-20-2019 05:49 AM

Like this:

index=xyz (host=a12fr* OR host=a13fr*) AND sourcetype = alert AND (("A failed" OR "A success") OR ("B failed" OR "B success"))
| eval which = case(searchmatch("\"A failed\" OR \"A success\""), "A", searchmatch("\"B failed\" OR \"B success\""), "B", true(), "ERROR")
| dedup host which
| eval diff=_time - now()
| where diff>=100 AND like(_raw, "%failed%")
0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎02-21-2019 04:37 AM

i am getting these error

Error in 'eval' command: Typechecking failed. 'OR' only takes boolean arguments.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-21-2019 05:47 AM

I edited my answer and fixed that error.

0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎02-22-2019 06:24 AM

actually the requirement
if i get failure event then success event within 5 minutes..it should not be noted
if i get only failure event and no success event for last 5 minutes..it should be noted
if i get only success..it should not be noted
Could you please help me...

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-25-2019 08:34 AM

I can help but let's move this to another new question and close out this one. Call me out in the new question and I will take a look at it.

0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎02-25-2019 08:39 AM

Sure woodcock

0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎02-25-2019 02:30 AM

@woodcock Could you please help

0 Karma
Reply
Solved! Jump to solution

lakshman239
Influencer
‎02-25-2019 03:18 AM

I think you are looking for success or failure, probably evenstats and streamstats could help. From line 3 in woodcock's response, try to change to eventstats and keep 5mins window and you can then do eventstats values(which) by host.

Pls look at https://www.splunk.com/blog/2014/04/01/search-command-stats-eventstats-and-streamstats-2.html and change as per your need.

0 Karma
Reply
Solved! Jump to solution

gowtham495
Path Finder
‎02-20-2019 05:03 AM

Is success/failed is captured in any field name?

0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎02-20-2019 05:15 AM

no its not field name

0 Karma
Reply
Solved! Jump to solution

lakshman239
Influencer
‎02-20-2019 05:59 AM

You could do couple of things?
- assuming your raw event is similar, create a field to extract status - success /failed
- create eventtypes for each pattern . "A failed" OR "A success" , "B failed" OR "B success" etc..
- and possibly a macro to define hosts, say 'host A OR hostB OR host C etc.. to make search simpler
- then index=xyz (eventtype=A OR eventtype=B) | head .... your search...
- where possible avoid like(_raw, "%failed%") and bring that to your base search (before first pipe).

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...