Splunk Search

How to create a Splunk alert upon any new table entry

rsantkumar
Observer

Hi. I have a splunk table which tracks  all the plugin version available to install for each plugin. Please note that each plugin can have multiple values. The idea is to alert when a new  version becomes available for any of the plugins(latest entry). the search runs every 5 mins.

rsantkumar_0-1594692562342.png

 

 

Kindly help.

 

Labels (1)
0 Karma

jacobpevans
Motivator

By "splunk table", I assume you mean the results of a search as it appears in your screenshot. If this is the case, you can compare the current data to a previous time's data. The search below will retrieve the unique data from the previous five minutes but only if it is not present in the previous day outside that five minute window.

index=<your_index> sourcetype=<your_sourcetype> earliest=-5m latest=now
| table key Plugin_version Release
| search NOT
    [ | search index=<your_index> sourcetype=<your_sourcetype> earliest=-1d latest=-5m
      | table key Plugin_version Release ]

 

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rsantkumar,

To solve your requirement, you could have two approaches:

extract all the versions of each product and check that every target host has the highest, or, in different words, that they have all the same version.

In this way you cannot check the alignment with the newest version but only that all the versions are aligned.

Otherwise, you could create a lookup containing the latest version of each product to verify and check if all the targets are aligned with this version.

Ciao.

Giuseppe

0 Karma

rsantkumar
Observer

@gcusello: Thanks for your reply. The problem with these approaches in my case is that the release of versions is quite often and the idea is to notify us as soon as a new version is available for a plugin for us to use.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...