Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a Splunk alert upon any new table entry

rsantkumar
Observer
‎07-13-2020 07:11 PM

Hi. I have a splunk table which tracks  all the plugin version available to install for each plugin. Please note that each plugin can have multiple values. The idea is to alert when a new  version becomes available for any of the plugins(latest entry). the search runs every 5 mins.

rsantkumar_0-1594692562342.png

 

 

Kindly help.

 

Labels (1)
Labels
0 Karma
Reply

jacobpevans
Motivator
‎07-15-2020 03:29 PM

By "splunk table", I assume you mean the results of a search as it appears in your screenshot. If this is the case, you can compare the current data to a previous time's data. The search below will retrieve the unique data from the previous five minutes but only if it is not present in the previous day outside that five minute window.

index=<your_index> sourcetype=<your_sourcetype> earliest=-5m latest=now
| table key Plugin_version Release
| search NOT
    [ | search index=<your_index> sourcetype=<your_sourcetype> earliest=-1d latest=-5m
      | table key Plugin_version Release ]

 

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-14-2020 12:43 AM

Hi @rsantkumar,

To solve your requirement, you could have two approaches:

extract all the versions of each product and check that every target host has the highest, or, in different words, that they have all the same version.

In this way you cannot check the alignment with the newest version but only that all the versions are aligned.

Otherwise, you could create a lookup containing the latest version of each product to verify and check if all the targets are aligned with this version.

Ciao.

Giuseppe

0 Karma
Reply

rsantkumar
Observer
‎07-15-2020 03:18 PM

@gcusello: Thanks for your reply. The problem with these approaches in my case is that the release of versions is quite often and the idea is to notify us as soon as a new version is available for a plugin for us to use.

Tags (1)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...