Wait logic in Splunk query

ManjunathNargun · ‎10-03-2023

Hi All,

How can we implement the wait logic in a Splunk query.

We monitor the Service down traps primarily and create Splunk alerts.

We have requirement now, to wait for a time interval and check if the service UP trap received if yes then don't create alert else create an alert. How can we implement this in a single query? Any suggestion please.

Example: If ServiceDown trap received:

Wait for 5 minutes.

If Good trap received:

Return

Else:

Create alarm.

Thanks!

richgalloway · ‎10-03-2023

Look at it another way. Search the last 5 minutes. If a ServiceDown trap was received without a matching Good trap then create an alarm.

index=foo (trap=ServiceDown OR trap=Good) earliest=-6m
| dedup ```add a field that contains device name```
| where trap=ServiceDown AND _time <= relative_time(now(), "-5m")

Trigger the alert if the search returns results.

---
If this reply helps you, Karma would be appreciated.

ManjunathNargun · ‎10-25-2023

@richgalloway Hi , Tried the below one.

we are getting error as below.

Error in where command: The operator at '::trapdown AND _time<=relative_time(now(),"-5m") is invalid.

Please help me.

Thanks!

richgalloway · ‎10-25-2023

Have you tried something like this (assuming ServiceDown is a string)?

index=foo (trap=ServiceDown OR trap=Good) earliest=-6m
| dedup ```add a field that contains device name```
| where (trap="ServiceDown" AND _time <= relative_time(now(), "-5m"))

---
If this reply helps you, Karma would be appreciated.

Wait logic in Splunk query

using Splunk Cloud

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?