Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

search alert using static file

gudavasr
Path Finder
‎02-15-2013 02:00 PM

Hi,
I will have a csv file like this:
cachename, value
max,1000
min, 100

I want to do search | fileds cachename, value | and compare the value to the value in csv file and send alert if it is =1000 or <1000 like that.
is this possible in Splunk? if possible can you please let me know the best way to do it.

Thank You

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-15-2013 03:36 PM

In other words, you want to define the alert triggering condition based on minimum and maximum values for a field from a csv file?

Here's a mildly hacked approach: I've defined a test.csv with two columns, min and max, with values 300 and 600. Do the same (in $SPLUNK_HOME/etc/system/lookups) and compare these two queries:

| gentimes start=-1 increment=5m | eval foo = starttime % 1200

| gentimes start=-1 increment=5m | eval foo = starttime % 1200 | search [inputlookup test.csv | return min max | eval search = replace(search, "min=", "foo>=") | eval search = replace(search, "max=", "foo<=")]

The first is the unfiltered one, with foo values from 0 to 900. The second filters the previous result based on the limits defined in the CSV file and only returns those events with 300<=foo<=600.

I'm not certain whether the trigger-conditions-in-CSV-file approach is the best for your problem though, what do you want to achieve?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-15-2013 04:03 PM

gentimes generates time range results, I use it to simulate actual events.

0 Karma
Reply

gudavasr
Path Finder
‎02-15-2013 04:01 PM

I will try this approach but why to gentimes? can I just use inputlookup part?

0 Karma
Reply
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Top