Splunk Enterprise Security

How to create a search condition in Splunk where an alert is based on result?

ruchijain
New Member

I want to get alerts for the situations which are different from below conditions:

Server  a   B   C   D
condition   ü  ü  X   X
                    X      X    ü  ü

I want to check Splunk, for the above servers, if this condition is there then it's ok- otherwise, it will alert us via email.

PS: The above condition means either a and B is UP and C and D is down or A and B is Down and C and D is UP.
If there are any other conditions like all are UP or all are DOWN or A and C are UP or many more condition then it will alert us.

But I am not able to use Splunk to set this condition, can anyone please help me with this?

I am not sure if we can use LOOKUP table to check this one.

0 Karma
1 Solution

DavidHourani
Super Champion

Hi @ruchijain,

I'm assuming you have a table that looks as follows :
A B C D
u u X X
u u u X
u X X X
X X u u

If that's the case then something like this will return all the events you need :

YourBaseSearch ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u) 

Adding NOT will return all the events that should alert you :

YourBaseSearch NOT ( ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u) )

If you want you can share a sample event so I can help you build a search that's closer to what you will be using.

Cheers,
David

View solution in original post

0 Karma

ruchijain
New Member

sample is right as below:

currently A and B is showing service status as status =running (sourcetype=service_stutus ---> where i am using service jboss status)
C and D are editorial servers and not running so status is stopped

I want to run the query when A and B are running and C and D are stopped or vice versa (A and B are stopped and C and D are running)
For rest of the status combination it should sent the alert

0 Karma

DavidHourani
Super Champion

Hi @ruchijain,

I'm assuming you have a table that looks as follows :
A B C D
u u X X
u u u X
u X X X
X X u u

If that's the case then something like this will return all the events you need :

YourBaseSearch ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u) 

Adding NOT will return all the events that should alert you :

YourBaseSearch NOT ( ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u) )

If you want you can share a sample event so I can help you build a search that's closer to what you will be using.

Cheers,
David

0 Karma

ruchijain
New Member

sample is right as below:

currently A and B is showing service status as status =running (sourcetype=service_stutus ---> where i am using service jboss status)
C and D are editorial servers and not running so status is stopped

I want to run the query when A and B are running and C and D are stopped or vice versa (A and B are stopped and C and D are running)
For rest of the status combination it should sent the alert

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...