Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write query for creating alert using lookup

Arpmjdr
Explorer
‎09-04-2019 06:49 AM

Hi Splunkers,

I have the events getting ingested as below:

timestamp patch_version

hostname

Now,I want to create one lookup csv named 'PatchDate' which contains columns with values

Host,MaxAge
default,30

Now,I want to implement two logic:

1.For each event received generate the MAXAGE value to be used.

            IF  <hostname> == Host ]
            THEN
                Use the  MaxAge value.
            ELSE
                Use the MaxAge value for ( Host == “default” )
            END-IF
  1. Calculate the DAYSSINCECHANGE for the   Generate current TimeStamp  => (need to write a rex command as field is not extracted)                                                                     
    Calculate Difference between and for event  => DIFFERENCE                  IF DIFFERENCE > 30 THEN It will throw alert.

Kindly help me to build the query.
TIA

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-05-2019 08:20 AM

Something like this

Your search that returns a record with these fields 
.... do whatever you need to calculate the timestamp here ... 
| table  _time patch_version hostname
| lookup PatchDate.csv Host as hostname OUTPUT MaxAge
| eval MaxAge=concatenate(MaxAge,30)
| eval DaysSinceChange=round((now()-_time)/86400,0) 
| where DaysSinceChange >= MaxAge

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-05-2019 08:20 AM

Something like this

Your search that returns a record with these fields 
.... do whatever you need to calculate the timestamp here ... 
| table  _time patch_version hostname
| lookup PatchDate.csv Host as hostname OUTPUT MaxAge
| eval MaxAge=concatenate(MaxAge,30)
| eval DaysSinceChange=round((now()-_time)/86400,0) 
| where DaysSinceChange >= MaxAge
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-05-2019 10:03 AM

By concatenate did you mean coalesce?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Arpmjdr
Explorer
‎09-05-2019 10:09 PM

modified a little but it has served my purpose. btw, I had to use "coalesce". Thanks to both of you @richgalloway and @DalJeanis 🙂

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-06-2019 05:04 AM

If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-04-2019 12:19 PM

This sounds a lot like a Fiverr task.
We need some example data to determine how to extract the current TimeStamp field.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...