Solved: Re: consolidate the alert

logloganathan · ‎02-20-2019

index=xyz host=a12fr* sourcetype = alert "A failed" OR "A success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")

index=xyz host=a12fr* sourcetype = alert "B failed" OR "B success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")

index=xyz host=a13fr* sourcetype = alert "B failed" OR "B success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")

index=xyz host=a13fr* sourcetype = alert "A failed" OR "A success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")

how to consolidate these alert to single alert?

woodcock · ‎02-20-2019

Like this:

index=xyz (host=a12fr* OR host=a13fr*) AND sourcetype = alert AND (("A failed" OR "A success") OR ("B failed" OR "B success"))
| eval which = case(searchmatch("\"A failed\" OR \"A success\""), "A", searchmatch("\"B failed\" OR \"B success\""), "B", true(), "ERROR")
| dedup host which
| eval diff=_time - now()
| where diff>=100 AND like(_raw, "%failed%")

View solution in original post

richgalloway · ‎02-20-2019

Perhaps I'm missing something, but have you tried the obvious?

index=xyz (host=a12fr* OR host=a13fr*) sourcetype = alert (("A failed" OR "A success") OR ("B failed" OR "B success"))
| eval my_time=_time, current=Now() 
| eval diff=current-my_time 
| where diff>=100 AND like(_raw, "%failed%")

It can be refined further to this:

index=xyz (host=a12fr* OR host=a13fr*) sourcetype = alert ("A failed" OR "B failed") latest=-100s

---
If this reply helps you, Karma would be appreciated.

logloganathan · ‎02-21-2019

if get both failure and success then i not want to display

richgalloway · ‎02-21-2019

Then @woodcock has your answer.

---
If this reply helps you, Karma would be appreciated.

woodcock · ‎02-20-2019

Like this:

index=xyz (host=a12fr* OR host=a13fr*) AND sourcetype = alert AND (("A failed" OR "A success") OR ("B failed" OR "B success"))
| eval which = case(searchmatch("\"A failed\" OR \"A success\""), "A", searchmatch("\"B failed\" OR \"B success\""), "B", true(), "ERROR")
| dedup host which
| eval diff=_time - now()
| where diff>=100 AND like(_raw, "%failed%")

logloganathan · ‎02-21-2019

i am getting these error

Error in 'eval' command: Typechecking failed. 'OR' only takes boolean arguments.

woodcock · ‎02-21-2019

I edited my answer and fixed that error.

logloganathan · ‎02-22-2019

actually the requirement
if i get failure event then success event within 5 minutes..it should not be noted
if i get only failure event and no success event for last 5 minutes..it should be noted
if i get only success..it should not be noted
Could you please help me...

woodcock · ‎02-25-2019

I can help but let's move this to another new question and close out this one. Call me out in the new question and I will take a look at it.

logloganathan · ‎02-25-2019

Sure woodcock

logloganathan · ‎02-25-2019

@woodcock Could you please help

lakshman239 · ‎02-25-2019

I think you are looking for success or failure, probably evenstats and streamstats could help. From line 3 in woodcock's response, try to change to eventstats and keep 5mins window and you can then do eventstats values(which) by host.

Pls look at https://www.splunk.com/blog/2014/04/01/search-command-stats-eventstats-and-streamstats-2.html and change as per your need.

gowtham495 · ‎02-20-2019

Is success/failed is captured in any field name?

logloganathan · ‎02-20-2019

no its not field name

lakshman239 · ‎02-20-2019

You could do couple of things?
- assuming your raw event is similar, create a field to extract status - success /failed
- create eventtypes for each pattern . "A failed" OR "A success" , "B failed" OR "B success" etc..
- and possibly a macro to define hosts, say 'host A OR hostB OR host C etc.. to make search simpler
- then index=xyz (eventtype=A OR eventtype=B) | head .... your search...
- where possible avoid like(_raw, "%failed%") and bring that to your base search (before first pipe).

consolidate the alert

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation