Archive
Highlighted

consolidate the alert

Motivator

index=xyz host=a12fr* sourcetype = alert "A failed" OR "A success"
| head 1
| eval mytime=time, current=Now()
| eval diff=current-mytime
| where diff>=100 AND like(
raw, "%failed%")

index=xyz host=a12fr* sourcetype = alert "B failed" OR "B success"
| head 1
| eval mytime=time, current=Now()
| eval diff=current-mytime
| where diff>=100 AND like(
raw, "%failed%")

index=xyz host=a13fr* sourcetype = alert "B failed" OR "B success"
| head 1
| eval mytime=time, current=Now()
| eval diff=current-mytime
| where diff>=100 AND like(
raw, "%failed%")

index=xyz host=a13fr* sourcetype = alert "A failed" OR "A success"
| head 1
| eval mytime=time, current=Now()
| eval diff=current-mytime
| where diff>=100 AND like(
raw, "%failed%")

how to consolidate these alert to single alert?

Tags (1)
0 Karma
Highlighted

Re: consolidate the alert

Path Finder

Is success/failed is captured in any field name?

0 Karma
Highlighted

Re: consolidate the alert

Motivator

no its not field name

0 Karma
Highlighted

Re: consolidate the alert

SplunkTrust
SplunkTrust

You could do couple of things?
- assuming your raw event is similar, create a field to extract status - success /failed
- create eventtypes for each pattern . "A failed" OR "A success" , "B failed" OR "B success" etc..
- and possibly a macro to define hosts, say 'host A OR hostB OR host C etc.. to make search simpler
- then index=xyz (eventtype=A OR eventtype=B) | head .... your search...
- where possible avoid like(_raw, "%failed%") and bring that to your base search (before first pipe).

0 Karma
Highlighted

Re: consolidate the alert

Esteemed Legend

Like this:

index=xyz (host=a12fr* OR host=a13fr*) AND sourcetype = alert AND (("A failed" OR "A success") OR ("B failed" OR "B success"))
| eval which = case(searchmatch("\"A failed\" OR \"A success\""), "A", searchmatch("\"B failed\" OR \"B success\""), "B", true(), "ERROR")
| dedup host which
| eval diff=_time - now()
| where diff>=100 AND like(_raw, "%failed%")

View solution in original post

0 Karma
Highlighted

Re: consolidate the alert

Motivator

i am getting these error

Error in 'eval' command: Typechecking failed. 'OR' only takes boolean arguments.

0 Karma
Highlighted

Re: consolidate the alert

Esteemed Legend

I edited my answer and fixed that error.

0 Karma
Highlighted

Re: consolidate the alert

Motivator

actually the requirement
if i get failure event then success event within 5 minutes..it should not be noted
if i get only failure event and no success event for last 5 minutes..it should be noted
if i get only success..it should not be noted
Could you please help me...

0 Karma
Highlighted

Re: consolidate the alert

Motivator

@woodcock Could you please help

0 Karma
Highlighted

Re: consolidate the alert

SplunkTrust
SplunkTrust

I think you are looking for success or failure, probably evenstats and streamstats could help. From line 3 in woodcock's response, try to change to eventstats and keep 5mins window and you can then do eventstats values(which) by host.

Pls look at https://www.splunk.com/blog/2014/04/01/search-command-stats-eventstats-and-streamstats-2.html and change as per your need.

0 Karma