Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

search alert using static file

gudavasr
Path Finder
‎02-15-2013 02:00 PM

Hi,
I will have a csv file like this:
cachename, value
max,1000
min, 100

I want to do search | fileds cachename, value | and compare the value to the value in csv file and send alert if it is =1000 or <1000 like that.
is this possible in Splunk? if possible can you please let me know the best way to do it.

Thank You

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-15-2013 03:36 PM

In other words, you want to define the alert triggering condition based on minimum and maximum values for a field from a csv file?

Here's a mildly hacked approach: I've defined a test.csv with two columns, min and max, with values 300 and 600. Do the same (in $SPLUNK_HOME/etc/system/lookups) and compare these two queries:

| gentimes start=-1 increment=5m | eval foo = starttime % 1200

| gentimes start=-1 increment=5m | eval foo = starttime % 1200 | search [inputlookup test.csv | return min max | eval search = replace(search, "min=", "foo>=") | eval search = replace(search, "max=", "foo<=")]

The first is the unfiltered one, with foo values from 0 to 900. The second filters the previous result based on the limits defined in the CSV file and only returns those events with 300<=foo<=600.

I'm not certain whether the trigger-conditions-in-CSV-file approach is the best for your problem though, what do you want to achieve?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-15-2013 04:03 PM

gentimes generates time range results, I use it to simulate actual events.

0 Karma
Reply

gudavasr
Path Finder
‎02-15-2013 04:01 PM

I will try this approach but why to gentimes? can I just use inputlookup part?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...