Solved: How to alert host stop on failover paired hosts

vl951f · ‎03-07-2022

I have host stop event logged in a summary index

Index=summary search_name=feed_status

Host_name	Host_status
Host1a	Host_stop
Host2b	Host_stop
Host4a	Host_stop
Host1b	Host_stop
Host3a	Host_stop

I also have a lookup table for failover paired hosts.

Host_primary	Host_secondary
Host1a	Host1b
Host2a	Host2b
Host3a	Host3b
Host4a	Host4b

I need to generate the host stop alert when both failover paired hosts are stopped.

In this case alerting on Host1a and Host1b stopped.

vl951f · ‎03-07-2022

Hi, Giuseppe

I changed OUTPUT to OUTPUTNEW. It works.

index=summary search_name=feed_status
| lookup paired_host.csv Host_primary AS Host_name OUTPUTNEW Host_secondary as hostname2 pair_ID as pairid
| lookup paired_host.csv Host_secondary AS Host_name OUTPUTNEW Host_primary as hostname1 pair_ID as pairid
| stats dc(Host_name) AS hcount values(hostname1) AS Host_Primary values(hostname2) AS Host_secondary BY pairid
| where hcount =2

Thanks a lot for your help.

View solution in original post

gcusello · ‎03-07-2022

Hi @vl951f,

if you could add a column in the lookup containing an ID for each pair, you could use it for the check.

In other words, if the the new column is called pair_ID, you could run something like this:

index=summary search_name=feed_status
| lookup paired_host.csv Host_primary AS Host_name OUTPUT Host_secondary pair_ID
| lookup paired_host.csv Host_secondary AS Host_name OUTPUT Host_primary pair_ID
| stats dc(Host_name) AS dc_Host_name values(Host_primary) AS Host_Primary values(Host_secondary) AS Host_secondary BY pair_ID
| where dc_Host_name =2

Ciao.

Giuseppe

vl951f · ‎03-07-2022

Hi, Giuseppe

I changed OUTPUT to OUTPUTNEW. It works.

index=summary search_name=feed_status
| lookup paired_host.csv Host_primary AS Host_name OUTPUTNEW Host_secondary as hostname2 pair_ID as pairid
| lookup paired_host.csv Host_secondary AS Host_name OUTPUTNEW Host_primary as hostname1 pair_ID as pairid
| stats dc(Host_name) AS hcount values(hostname1) AS Host_Primary values(hostname2) AS Host_secondary BY pairid
| where hcount =2

Thanks a lot for your help.

gcusello · ‎03-08-2022

Hi @vl951f,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

vl951f · ‎03-07-2022

Hi, Giuseppe:

I added the column pair_ID, ad give it an unique number for each paired host. But "dc_Host_name" is always "1" after run the search.

Thanks

vl951f · ‎03-07-2022

It looks like one of the pair_ID is NULL from 2 lookup OUTPUT:

| lookup paired_host.csv Host_primary AS Host_name OUTPUT Host_secondary pair_ID
| lookup paired_host.csv Host_secondary AS Host_name OUTPUT Host_primary pair_ID

How to alert host stop on failover paired hosts

lookup

table

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup