Splunk Search

Lookup Table - only send email if the Event is NOT on the Lookup Table list

MasterOogway
Communicator

If I have a lookup table with the following information in it (see below), how do I send an email if the "event" found is NOT on the list?

For example, what if the event extracted was '%SPANTREE-SP-2-RECV_BAD_TLV'?

error,action,email
SYS-3-PORT_RX_BADCODE,TRUE,some@group.com
SYS-3-PORT_DEVICENOLINK,TRUE,some@group.com
SYS-3-PORT_BADPORT,TRUE,DEFAULT
TTY-3-AUTOCONFIG,TRUE,DEFAULT
ARC22056-4-minor,TRUE,DEFAULT
AUT21097-4-minor,TRUE,DEFAULT
C4K_EBM-4-HOSTFLAPPING,TRUE,DEFAULT
DHCPDBG-4-39,TRUE,DEFAULT
DOT11-4-TKIP_REPLAY,TRUE,some@group.com
DHCP_SNOOPING-4-AGENT_OPERATION_FAILED,TRUE,DEFAULT


props.conf:

[syslog_info]
EXTRACT-cisco_event = (?<error>\%.*-\b([0-4])\-.*?):\s
LOOKUP-foo = cisco_event_error error

transforms.conf

[cisco_event_error]
filename = syslog_alerter.csv


Currently this search finds all events found in the lookup table:

sourcetype="syslog_info" | lookup syslog_alerter.csv error
Tags (1)
1 Solution

araitz
Splunk Employee
Splunk Employee

My Windows & Linux DHCP apps use a similar technique.

Make this change to props.conf:

LOOKUP-foo = cisco_event_error error OUTPUTNEW

Then try this simple search:

sourcetype="syslog_info" error=* NOT action=*

View solution in original post

araitz
Splunk Employee
Splunk Employee

My Windows & Linux DHCP apps use a similar technique.

Make this change to props.conf:

LOOKUP-foo = cisco_event_error error OUTPUTNEW

Then try this simple search:

sourcetype="syslog_info" error=* NOT action=*

araitz
Splunk Employee
Splunk Employee

Sweet! Don't forget to vote up my answer 🙂

0 Karma

MasterOogway
Communicator

After updating per you last correction post I was able to get the results I needed: "only send email if the Event is NOT on the Lookup Table list".
Always nice to get help from the best!

0 Karma

araitz
Splunk Employee
Splunk Employee

MasterOogway - my fault, I made some typos and put 'event' where it should have said 'error'. I edited your original post as well as my answer above, please give it another try.

0 Karma

MasterOogway
Communicator

I made this change and restarted but without luck. When I run your search I get no results.
When I run this search: sourcetype=syslog_info event=* , again, I get no results, but would have expected something. Any other thoughts?

What does the empty OUTPUTNEW without any following fields defined do? I understand the "NOT action=*" removes any of the csv's "true" entries.

Thanks for your help araitz

pstein (MasterOogway)

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...