Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Compare field values with field values from events before

ckunath
Communicator
‎03-30-2017 06:46 AM

Hello, I am currently trying to set up an alert in Splunk by checking my eventdata after events that contain a list of ID's.
If an event occurs which has a list of ID's like this:

ID_LIST=2345,7865,9876

I want to iterate through every ID in this list and check if the ID has been mentioned in any log ever before. If it can't be found in earlier logs, it should trigger an alert. If it appears in earlier logs, nothing should happen.

So right now I prepared my event by extracting all ID's from found event into a field. How can I check whether or not the ID has been mentioned before?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎03-30-2017 07:15 AM

Assuming that you are running this alert every 5 minutes and 60 days is enough backtrack, like this:

index=foo sourcetype=bar earliest=-60d latest=now [search index=foo sourcetype=bar earliest=-5m latest=now | stats count BY ID | fields ID] | stats latest(_raw) count BY ID | search count=1

However, it would make better sense to store the birthday of each event in a lookup by running a search for All time just once like this:

index=foo sourcetype=bar | stats min(_time) AS birthday BY ID | outputlooup IDbirthdays

And then do the alert and update like this:

index=foo sourcetype=bar earliest=-5m latest=now | lookup IDbirthdays ID OUTPUT birthday | search NOT birthday="*" | stats min(_time) AS birthday latest(_raw) AS _raw BY ID | outputlookup append=true | rename _raw AS latest_raw
Reply

ckunath
Communicator
‎03-30-2017 07:43 AM

Thanks for your quick answer!
The only problem I have is right now is that I have to extract the ID's out of the list first, and store them in a field like this 

eval splitArray=split(_raw,":")
| eval id_only=mvindex(splitArray,1)
| rex field=id_only mode=sed "s/RECEIVE//g"
| eval listID=split(id_only,",")

How can I do the comparison between the values of listID with the values of ID from the main search? In your example you can straight up filter by ID.
(I am sorry, I am still pretty inexperienced when it comes to advanced SPL queries)

0 Karma
Reply

woodcock
Esteemed Legend
‎03-30-2017 08:06 AM

You really should do a proper field extraction so that ID (or listID) is automatically extracted at search time as a multivalued field. That is the only way to go and that is a completely different question.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...