Other Usage
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get alerts when a new exception appear?

See0
Path Finder
‎04-27-2023 06:34 AM

I have created a lookup file(.csv) file with known exception. My question is how to create a search that can look against that known exceptions.

I want to get results only when a different exception appear(exception that never happened before), also i want to make an alert.

When i tried to make an search to look against that file the results will also shows exceptions that are in .csv file.

How can i do this? Is there another better option?

My .csv file look like this(140 exceptions), also my environment :

See0_0-1682602588050.png

 

See0_1-1682602369233.jpeg

 

Labels (3)
0 Karma
Reply

somesoni2
Revered Legend
‎04-27-2023 07:14 AM

If you've your "exception" field extracted already, try something like this

index=yourIndex sourcetype=yourSourcetype NOT [| inputlookup yourExceptionLookup.csv | table exception ]

If field is not already extracted, consider doing so and use above query.

If field extraction is not possible, and you want to do a less efficient text search, try something like this

 

index=yourIndex sourcetype=yourSourcetype NOT [| inputlookup yourExceptionLookup.csv | table exception | rename exception as search ]

 

Reply

See0
Path Finder
‎05-02-2023 11:38 PM

Could you help me?

0 Karma
Reply

See0
Path Finder
‎04-27-2023 08:17 AM

Stll not very clear to me.

 

index=doc1 sourcetype=at-doc1 NOT [| inputlookup yourExceptionLookup.csv | table exception ]

 

Let say i have the index doc1, and sourcetype=at-doc1. If i perform this search will extract all the events, even what i have in the file(if the log is different but include the exception name). I expect to get some exception that are not in the .csv.  I'm doing something wrong?

Somehow i want to get the type of exceptions that never happened before and fully  exclude the exceptions i know from file. Is that possible?

As you can see my environment(logs) are different everytime i dont know if this is the cause but even if they are different i want to exclude entire log if this is contain something from the .csv

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...