Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

search alert using static file

gudavasr
Path Finder
‎02-15-2013 02:00 PM

Hi,
I will have a csv file like this:
cachename, value
max,1000
min, 100

I want to do search | fileds cachename, value | and compare the value to the value in csv file and send alert if it is =1000 or <1000 like that.
is this possible in Splunk? if possible can you please let me know the best way to do it.

Thank You

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-15-2013 03:36 PM

In other words, you want to define the alert triggering condition based on minimum and maximum values for a field from a csv file?

Here's a mildly hacked approach: I've defined a test.csv with two columns, min and max, with values 300 and 600. Do the same (in $SPLUNK_HOME/etc/system/lookups) and compare these two queries:

| gentimes start=-1 increment=5m | eval foo = starttime % 1200

| gentimes start=-1 increment=5m | eval foo = starttime % 1200 | search [inputlookup test.csv | return min max | eval search = replace(search, "min=", "foo>=") | eval search = replace(search, "max=", "foo<=")]

The first is the unfiltered one, with foo values from 0 to 900. The second filters the previous result based on the limits defined in the CSV file and only returns those events with 300<=foo<=600.

I'm not certain whether the trigger-conditions-in-CSV-file approach is the best for your problem though, what do you want to achieve?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-15-2013 04:03 PM

gentimes generates time range results, I use it to simulate actual events.

0 Karma
Reply

gudavasr
Path Finder
‎02-15-2013 04:01 PM

I will try this approach but why to gentimes? can I just use inputlookup part?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
Top