All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search the following EventCodes and Messages for Exchange in one alert with a inputlookup table.

sholmes
New Member
‎02-27-2015 04:44 AM

I don't want to create individual alerts for each EventCode and Message in the lookup table.
This is the search host="" source="WinEventLog:application" CategoryString="" [| inputlookup exchangecodes.csv | eval EventCode=EventCode | eval SourceName=SourceName | eval Message=Messages | table SourceName,EventCode,Message,host
Below is the exchangecodes.csv
EventCode Message SourceName LogName Type
100 Disk drive full Backup Exec System Recovery App warning
215 Backup stopped ESE App error
474 Problems reading EDB ESE App error
478 STM file corruption ESE App error
514 Out of log files ESE App warning
704 EDB defrag interrupted ESE App Information
8024 LDAP to DC failure MSExchangeAL App error
1005 SA unable to connect to Exch server MSExchangeIS App error
1159 Database error MSExchangeIS App error
8528 Mailbox full MSExchangeIS App warning
9514 Two objects, same proxy MSExchangeIS App warning
9519 database does not mount MSExchangeIS App error
9547 EDB not found MSExchangeIS App error
2000 Exchange MTA started? MSExchangeIS Mailbox Store App error
200 database checksum error MSExchangeMTA App warning
9411 Disk drive full MSExchangeMTA App error
1031 SA's task blocked MSExchangeSA App error
5007 Out of memory MSExchangeSA App error
9057 Cannot contact Global Catalog MSExchangeSA App error
9074 Directory Service Referral interface failed MSExchangeSA App error
9153 System Attendant error '0x8007203a' MSExchangeSA App error
9325 SMTP address invalid MSExchangeSA App error
9334 Offline address list not generated MSExchangeSA App error
3020 Forwarding loop MSExchangeTransport App error
68 Unable to initialize Scan Engine Symantec Mail Security for Microsoft Exchange App error
236 Quarantine has exceeded a set limit Symantec Mail Security for Microsoft Exchange App warning
292 License expiration Symantec Mail Security for Microsoft Exchange App warning
345 License expiration Symantec Mail Security for Microsoft Exchange App warning
12293 Shadow copy error VSS App error

0 Karma
Reply

Heff
Splunk Employee
Splunk Employee
‎03-04-2015 05:47 AM

Something like this....You dont want inputlookup (the whole file), you only want the fields that match your search

host="" source="WinEventLog:application" CategoryString="" | lookup exchangecodes.csv | eval EventCode=EventCode | eval SourceName=SourceName | eval Message=Messages | table SourceName,EventCode,Message,host

Sample:
EventCode=* |lookup EventCodes.csv EventCode | table EventCode,LogName, desc

0 Karma
Reply

Heff
Splunk Employee
Splunk Employee
‎03-04-2015 07:00 AM

host=myhost* source="WinEventLog:application" EventCode=* | lookup exchangecodes.csv EventCode |where isnotnull(Message) | table EventCode, Message, Type

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...