Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you pass tokens into an alert's search?

kingb00
Explorer
‎12-11-2018 02:27 PM

I have an alert that I want to run on 100 URLs. I don't want to make 100 alerts. Can I use 1 alert and have it dynamically populate the URL and send an individual email for each URL if a change happens?

Background: I want run an accessibility check on a website every few hours and send the logs to Splunk. I get an Alert when the score changes.

This is a simplified version of my Alert search that works great for 1 URL:

host="accessibility-scanner.foo.com" source="/var/log/foo/foo.log" "https://someurl.com" 
| reverse
| autoregress current_a11y_score AS old_a11y_score p=1
| eval a11y_changed = if(current_a11y_score!=old_a11y_score,"True","False")
| sort _time 
| table _time myRequestedUrl current_a11y_score old_a11y_score a11y_changed

Trigger condition (doesn't quite work but this is the gist of it):

search a11y_changed = True

Trigger action:

Send an email with a bunch of info.

I know that, on a Dashboard, you can populate a form field dynamically with a token based on a search like so:

host="accessibility-scanner.foo.com" source="/var/log/lighthouse/lighthouse.log" myRequestedUrl

Is something like this possible with an Alert? Got any better ideas on how to accomplish this goal of using 1 Alert for multiple urls?

Thanks in advance. First time poster.

0 Karma
Reply

kingb00
Explorer
‎12-14-2018 10:49 AM

Thank you all for your advice.

In the end the answer was so much easier than expected. No need for lookups. Just leaving out the URL brought up all the events. Sort them alphabetically and by time. dedup to the latest two to get the last score for autoregress to look at, then dedup again at the end to remove second event for the same requestedUrl (which is not accurate because it was copied from the previous line which is not the same URL). That leaves one event row with all the correct values. Then as @nagarjuna280 said, use "each result" option in the Alert. That runs it on every row. Easy peasy and I don't need to maintain a lookup file or definition.

host="accessibility-scanner.foo.com" source="/var/log/foo/foo.log" myRequestedUrl=*
| sort requestedUrl, _time
| dedup 2 myRequestedUrl
| reverse
| autoregress current_a11y_score AS old_a11y_score p=1
| eval a11y_changed = if(current_a11y_score!=old_a11y_score,"True","False")
| sort _time
| dedup requestedUrl
| reverse
| table _time myRequestedUrl current_a11y_score old_a11y_score a11y_changed

This answer works. If you have any hints on how to make the query more efficient, please let me know.

0 Karma
Reply

HiroshiSatoh
Champion
‎12-11-2018 08:36 PM

In this case, it is common to use the LOOKUP file.

If only to use as a condition

host="accessibility-scanner・・・" source="/var/log/・・・" [ |inputlookup XXX.csv|rename your_url as query]|・・・

If you want to know which keyword matched

If the number of URLs is about 10

|inputlookup XXX.csv|rename your_url as myRequestedUrl
|map search="search host=\"accessibility-scanner・・・" source=\"/var/log/・・・\" \"$myRequestedUrl$\"|・・・"

If the number of URLs is large, the efficiency gets worse with MAP and complicated SPL is needed.

0 Karma
Reply

kingb00
Explorer
‎12-12-2018 07:02 AM

I must not be doing something right. When I try our new search:

 host="accessibility-scanner.foo.com" source="/var/log/foo/foo.log" myRequestedUrl
 | inputlookup https://someurl.com/files/tiered-sites.csv|rename myRequestedUrl as query
 | reverse
 | autoregress current_a11y_score AS old_a11y_score p=1
 | eval a11y_changed = if(current_a11y_score!=old_a11y_score,"True","False")
 | sort _time 
 | table _time myRequestedUrl current_a11y_score old_a11y_score a11y_changed

I get: "Error in 'inputlookup' command: This command must be the first command of a search." Did I do something wrong?

If I flip it to have inputlookup first I get "Search Factory: Unknown search command 'host'."

0 Karma
Reply

kingb00
Explorer
‎12-12-2018 07:29 AM

Also, maybe related. Do I need a real CSV file or can I pipe it in by something like this?:

host="accessibility-scanner.foo.com" source="/var/log/foo/foo.log" myRequestedUrl 
| dedup requestedUrl
| outputcsv
0 Karma
Reply

HiroshiSatoh
Champion
‎12-12-2018 06:34 PM

The sample above me uses ”subsearch”.

【subsearch】
special field:query

index=* [inputlookup xxx.csv | fields col_a]
->(col_a=1) OR (col_a=2) OR (col_a=3) ・・・・

index=* [inputlookup xxx.csv | rename col_a as query | fields query]
->(1) OR (2) OR (3) ・・・・

0 Karma
Reply

nagarjuna280
Communicator
‎12-11-2018 09:45 PM

adding to this, if you want email alert for each url result, select action on "each result" in email settings

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...