Splunk Cloud Platform

Need to pass threshold value dynamically in a splunk macro

ssri1705
Observer

hello,

I have a splunk macro which is being used to alert for system saturation

when i am passing numeric values in the macro, i am getting the results and able to send alerts, however , if im trying to pass arguments in my macro, i stop getting any result and there is no error.

eventtype="nmon:performance" type=DF_STORAGE storage_used_percent>0 env::$env$| stats latest(storage_used_percent) as storage_used_percent by _time, frameID, host, env, mount | lookup nmon_alerting_threshold_template_filesystem frameID mount OUTPUT alert_fs_max_percent as template_alert_fs_max_percent, alert_fs_min_time_seconds as template_alert_fs_min_time_seconds | lookup nmon_alerting_threshold_filesystem frameID host mount OUTPUT alert_fs_max_percent as server_alert_fs_max_percent, alert_fs_min_time_seconds as server_alert_fs_min_time_seconds | eval default_alert_fs_max_percent="$threshold$", default_alert_fs_min_time_seconds="$time$" | eval alert_fs_max_percent=case(isnum(server_alert_fs_max_percent), server_alert_fs_max_percent, isnum(template_alert_fs_max_percent), template_alert_fs_max_percent, isnum(default_alert_fs_max_percent), default_alert_fs_max_percent), alert_fs_min_time_seconds=case(isnum(server_alert_fs_min_time_seconds), server_alert_fs_min_time_seconds, isnum(template_alert_fs_min_time_seconds), template_alert_fs_min_time_seconds, isnum(default_alert_fs_min_time_seconds), default_alert_fs_min_time_seconds), alert_threshold_source=case(isnum(server_alert_fs_max_percent), "server_thresholds", isnum(template_alert_fs_max_percent), "template_thresholds", isnum(default_alert_fs_max_percent), "default_threshold") | where (storage_used_percent>=alert_fs_max_percent) | lookup nmon_alerting_filesystem_global_exclusion mount OUTPUT exclude as global_exclude | lookup nmon_alerting_filesystem_template_exclusion frameID mount OUTPUT exclude as template_exclude | lookup nmon_alerting_filesystem_per_server_exclusion host mount OUTPUT exclude as host_exclude | fillnull value="false" global_exclude template_exclude host_exclude | where (global_exclude!="true" AND template_exclude!="true" AND host_exclude!="true") | stats latest(_time) as _time range(_time) as duration latest(storage_used_percent) as latest_storage_used_percent, values(alert_fs_max_percent) as alert_fs_max_percent, values(alert_fs_min_time_seconds) as alert_fs_min_time_seconds, values(alert_threshold_source) as alert_threshold_source by frameID,host,env,mount | where (latest_storage_used_percent>=alert_fs_max_percent) AND (duration >= alert_fs_min_time_seconds) | eval "duration (hh:mm:ss)"=tostring(duration,"duration") | fields frameID,host,env,_time,mount,duration,"duration (hh:mm:ss)",latest_storage_used_percent,alert_fs_max_percent,alert_fs_min_time_seconds,alert_threshold_source.

Can someone help me pass numeric values in arguments to get the right response.

 

Thanks In Advance.

 

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

It looks like default_alert_fs_max_percent and default_alert_fs_min_time_seconds are supposed to numbers, but are assigned quoted strings.  Try removing the quotation marks from | eval default_alert_fs_max_percent="$threshold$", default_alert_fs_min_time_seconds="$time$"

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...