Alerting

consolidate the alert

logloganathan
Motivator

index=xyz host=a12fr* sourcetype = alert "A failed" OR "A success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")

index=xyz host=a12fr* sourcetype = alert "B failed" OR "B success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")

index=xyz host=a13fr* sourcetype = alert "B failed" OR "B success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")

index=xyz host=a13fr* sourcetype = alert "A failed" OR "A success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")

how to consolidate these alert to single alert?

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index=xyz (host=a12fr* OR host=a13fr*) AND sourcetype = alert AND (("A failed" OR "A success") OR ("B failed" OR "B success"))
| eval which = case(searchmatch("\"A failed\" OR \"A success\""), "A", searchmatch("\"B failed\" OR \"B success\""), "B", true(), "ERROR")
| dedup host which
| eval diff=_time - now()
| where diff>=100 AND like(_raw, "%failed%")

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps I'm missing something, but have you tried the obvious?

index=xyz (host=a12fr* OR host=a13fr*) sourcetype = alert (("A failed" OR "A success") OR ("B failed" OR "B success"))
| eval my_time=_time, current=Now() 
| eval diff=current-my_time 
| where diff>=100 AND like(_raw, "%failed%")

It can be refined further to this:

index=xyz (host=a12fr* OR host=a13fr*) sourcetype = alert ("A failed" OR "B failed") latest=-100s
---
If this reply helps you, Karma would be appreciated.
0 Karma

logloganathan
Motivator

if get both failure and success then i not want to display

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Then @woodcock has your answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

woodcock
Esteemed Legend

Like this:

index=xyz (host=a12fr* OR host=a13fr*) AND sourcetype = alert AND (("A failed" OR "A success") OR ("B failed" OR "B success"))
| eval which = case(searchmatch("\"A failed\" OR \"A success\""), "A", searchmatch("\"B failed\" OR \"B success\""), "B", true(), "ERROR")
| dedup host which
| eval diff=_time - now()
| where diff>=100 AND like(_raw, "%failed%")
0 Karma

logloganathan
Motivator

i am getting these error

Error in 'eval' command: Typechecking failed. 'OR' only takes boolean arguments.

0 Karma

woodcock
Esteemed Legend

I edited my answer and fixed that error.

0 Karma

logloganathan
Motivator

actually the requirement
if i get failure event then success event within 5 minutes..it should not be noted
if i get only failure event and no success event for last 5 minutes..it should be noted
if i get only success..it should not be noted
Could you please help me...

0 Karma

woodcock
Esteemed Legend

I can help but let's move this to another new question and close out this one. Call me out in the new question and I will take a look at it.

0 Karma

logloganathan
Motivator

Sure woodcock

0 Karma

logloganathan
Motivator

@woodcock Could you please help

0 Karma

lakshman239
SplunkTrust
SplunkTrust

I think you are looking for success or failure, probably evenstats and streamstats could help. From line 3 in woodcock's response, try to change to eventstats and keep 5mins window and you can then do eventstats values(which) by host.

Pls look at https://www.splunk.com/blog/2014/04/01/search-command-stats-eventstats-and-streamstats-2.html and change as per your need.

0 Karma

gowtham495
Path Finder

Is success/failed is captured in any field name?

0 Karma

logloganathan
Motivator

no its not field name

0 Karma

lakshman239
SplunkTrust
SplunkTrust

You could do couple of things?
- assuming your raw event is similar, create a field to extract status - success /failed
- create eventtypes for each pattern . "A failed" OR "A success" , "B failed" OR "B success" etc..
- and possibly a macro to define hosts, say 'host A OR hostB OR host C etc.. to make search simpler
- then index=xyz (eventtype=A OR eventtype=B) | head .... your search...
- where possible avoid like(_raw, "%failed%") and bring that to your base search (before first pipe).

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...