Splunk Search

Reading Event Counts for all indexes and then reading their corresponding Count for threshold Check Specified in the lookup File

bapun18
Communicator

Can Please anyone help me in building the query for my alert so that It takes the index name and its corresponding threshold count from the above shred image of specified lookup table for threshold mapping without using Tstats command ? Sharing the screenshot of Static lookup file image below ?

Tags (2)
0 Karma

hunderliggur
Path Finder

As I understand your question, you want to get the counts of events in indexes, then be able to compare them to a threshold from a lookup file.

I created a sample lookup file "index_test.csv" with index_name and threshold.

The serach below adds the threshold value to the event data for each index count:

| tstats count where index=* by index 
| lookup index_test.csv index_name AS index outputnew threshold 
| eval busted_limit=if(count>threshold,"BUSTED","OK")
| table index,busted_limit,count,threshold

You can use whatever search you want in line 1 to get a count by index.
Line 2 maps (looks up) the lookup file field name (index_name) based on the search name (index) and adds (outputnew) the field threashold to the results
Line 3 compares the count to the threshold and sets a flag
Line 4 just displays the results

Hope this helps

0 Karma

bapun18
Communicator

alt text

alt text

0 Karma

hunderliggur
Path Finder

There is no image associated with this question. Can you share the lookup data as text in your question and some idea of the search you are trying to join with?

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...