Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

search alert using static file

gudavasr
Path Finder
‎02-15-2013 02:00 PM

Hi,
I will have a csv file like this:
cachename, value
max,1000
min, 100

I want to do search | fileds cachename, value | and compare the value to the value in csv file and send alert if it is =1000 or <1000 like that.
is this possible in Splunk? if possible can you please let me know the best way to do it.

Thank You

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-15-2013 03:36 PM

In other words, you want to define the alert triggering condition based on minimum and maximum values for a field from a csv file?

Here's a mildly hacked approach: I've defined a test.csv with two columns, min and max, with values 300 and 600. Do the same (in $SPLUNK_HOME/etc/system/lookups) and compare these two queries:

| gentimes start=-1 increment=5m | eval foo = starttime % 1200

| gentimes start=-1 increment=5m | eval foo = starttime % 1200 | search [inputlookup test.csv | return min max | eval search = replace(search, "min=", "foo>=") | eval search = replace(search, "max=", "foo<=")]

The first is the unfiltered one, with foo values from 0 to 900. The second filters the previous result based on the limits defined in the CSV file and only returns those events with 300<=foo<=600.

I'm not certain whether the trigger-conditions-in-CSV-file approach is the best for your problem though, what do you want to achieve?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-15-2013 04:03 PM

gentimes generates time range results, I use it to simulate actual events.

0 Karma
Reply

gudavasr
Path Finder
‎02-15-2013 04:01 PM

I will try this approach but why to gentimes? can I just use inputlookup part?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...