Splunk Search

How to get alert based on timeranges in the lookup file?

prettysunshinez
Explorer

Hi,

I have a lookup file as below.

Fileid earliest latest

abc 01 03

bcd 02 05

Now the alert(that runs for every hour)that am going to set should look at this lookup file,if the current time (earliest and latest time) matches with any one in the lookup file,the corresponding Fileid should be the outputted and the alert should also lookout out for that Fileid with the time range as mentioned in the lookup file

please advice me how to achieve this 

Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| inputlookup lookupfile
| eval hour_now=floor(now()/(60*60))%24
| where hour_now >= earliest AND hour_now <= latest
0 Karma

prettysunshinez
Explorer

Thank you @ITWhisperer 

Now i should be performing a search with corresponding FileId in that timeframe (as in the lookup).

how would i be doing it

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
search [| inputlookup lookupfile
| eval hour_now=floor(now()/(60*60))%24
| where hour_now >= earliest AND hour_now <= latest
| dedup FileId]
0 Karma

prettysunshinez
Explorer

Thanks again @ITWhisperer  for the response.

my ask is that,how do i run that search for the time specified in the lookup file.

if a fileid is to be searched with the earliest time 2 am and latest time 4 am,how do i include that in query

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Assuming FileId is a field already extracted, try something like this:

search [| inputlookup lookupfile
    | eval hour_now=floor(now()/(60*60))%24
    | where hour_now >= earliest AND hour_now <= latest
    | eval earliest=relative_time(now(),"@d+".earliest."h")
    | eval latest=relative_time(now(),"@d+".latest."h")
    | table earliest latest FileId]

 

0 Karma

prettysunshinez
Explorer

in the below query when i embrace the inputlookup inside a square bracket Im not getting results..

my search has to be like below

index=abc sourcetype=bcd earliest=<earliest time that i get from lookup> latest=<latest time that i get from lookup> “<Fieldid that i get from lookup”

0 Karma

prettysunshinez
Explorer

Can this be achieved without the help of a lookup file?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could "hard code" the contents of the lookup file into your search using the makeresults command.

0 Karma

prettysunshinez
Explorer

Hi @ITWhisperer 

in the query given when i embrace the inputlookup inside a square bracket Im not getting results..

my search has to be like below

index=abc sourcetype=bcd earliest=<earliest time that i get from lookup> latest=<latest time that i get from lookup> “<Fieldid that i get from lookup>”

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Do you mean FieldId or FileId?

Please can you share the search you are using (with the the brackets) which is not working?

0 Karma

prettysunshinez
Explorer

@ITWhisperer 

My actual search is this

index=abc sourcetype=cbd <search_string> earliest=<some_time> latest=<some_time>

the search_string,earliest and latest has to be taken from the lookup file

the lookup file will have file_id,earliest and latest time in it

the search should run everyhour

if the current time matches with the latest in the lookup,then the corresponding latest,earliest and file_id has to be picked up and given to the above query

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You said when you use the brackets it doesn't work. Can you share that search please?

0 Karma

prettysunshinez
Explorer

yes..

index=sswer sourcetype=abcdr [|inputlookup lookup_test.csv |eval hour_now = (floor(now()/(60*60))%24-6) |where Earliest <= hour_now AND Latest >= hour_now |table hour_now Earliest Latest ReportsName] 

This is the search query that I used

My actual query should like this.

index=sswer sourcetype=abcdr "ReportsName" earliest=Earliest latest=Latest

where ReportsName,Earliest & Latest values has to be picked from the lookup file

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...