Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert only if value exists

jaxjohnny
Path Finder
‎03-27-2017 03:46 AM

Hello Splunkers,

We have a search that runs every 30 minutes, and then sends and email. The problem is that there may not be a value in the results. The search looks for a "deny" event. We would like the search to run every 30 minutes, but ONLY send an email alert IF there are values in the results; in other words only if there is a deny event.

index=xncsyslog | search action="deny" | dedup deviceid | fields _time action group user deviceid devicetype agent ip | table _time user deviceid devicetype action group agent ip

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-27-2017 04:22 AM

Do you need this? It would run every 30 min for last 30 minutes and will trigger only if the table has record/s for deny event based on deviceid:

index=xncsyslog action="deny" earliest=-30m latest=now
|dedup deviceid 
|table _time user deviceid devicetype action group agent ip

Under alerts Trigger Conditions set to trigger when Number of Results > 0

Set on every 30 minutes cron schedule : */30 * * * *

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

jaxjohnny
Path Finder
‎03-27-2017 04:50 AM

Thank you. I've made this change to both the code and the trigger conditions. The next report runs in about 10 minutes. We'll see if this works.

0 Karma
Reply
Solved! Jump to solution

jaxjohnny
Path Finder
‎03-27-2017 04:45 AM

Thank you. However, we do not know which devices will attempt to connect. These are all BYO devices connecting. We have two portals. One portal is permitted for all devices, while the other portal is approved only for select devices.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-27-2017 04:22 AM

Do you need this? It would run every 30 min for last 30 minutes and will trigger only if the table has record/s for deny event based on deviceid:

index=xncsyslog action="deny" earliest=-30m latest=now
|dedup deviceid 
|table _time user deviceid devicetype action group agent ip

Under alerts Trigger Conditions set to trigger when Number of Results > 0

Set on every 30 minutes cron schedule : */30 * * * *

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-27-2017 04:19 AM

Hi jaxjohnny,
to do what you want, you have to create a lookup with all your deviceid to monitor (calling it e.g. Perimeter.csv) in which there is a column called "deviceid" (and eventually other columns describing each device) and then run a search like this:

index=xncsyslog action="deny" 
| eval deviceid=upper(deviceid) 
| stats count by deviceid 
| append [ | inputlookup Perimeter.csv | eval count=0 | fields deviceid count ] 
| stats sum(count) AS Total by deviceid

In this way, missed deviceids have Total=0, the other have Total>0.

(Note that if you insert the search condition action="deny" after a | and a search command, your search is slower! and that you don't need to use the field command before table command).

You can insert at the end of your search | where Total=0 and create an alert or create a dashboard that shows the status of your devices.

You could also show status of your devices inserting at the end of your search | rangemap field=Somma severe=0-0 low=1-1000000000 default=severe

If you like to show status of your devices in a graphic mode, follow the example in Splunk 6.x Dashboard Examples App (https://splunkbase.splunk.com/app/1603/).

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-27-2017 04:19 AM

Hi jaxjohnny,
to do what you want, you have to create a lookup with all your deviceid to monitor (calling it e.g. Perimeter.csv) in which there is a column called "deviceid" (and eventually other columns describing each device) and then run a search like this:

index=xncsyslog action="deny" 
| eval deviceid=upper(deviceid) 
| stats count by deviceid 
| append [ | inputlookup Perimeter.csv | eval count=0 | fields deviceid count ] 
| stats sum(count) AS Total by deviceid

In this way, missed deviceids have Total=0, the other have Total>0.

(Note that if you insert the search condition action="deny" after a | and a search command, your search is slower! and that you don't need to use the field command before table command).

You can insert at the end of your search | where Total=0 and create an alert or create a dashboard that shows the status of your devices.

You could also show status of your devices inserting at the end of your search | rangemap field=Somma severe=0-0 low=1-1000000000 default=severe

If you like to show status of your devices in a graphic mode, follow the example in Splunk 6.x Dashboard Examples App (https://splunkbase.splunk.com/app/1603/).

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-27-2017 04:18 AM

Do you need this 

index=xncsyslog action="deny" 
|dedup deviceid 
|table _time user deviceid devicetype action group agent ip

Under alerts Trigger Conditions set to trigger when Number of Results > 0

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...