Splunk Search

Search based on a previous conditions. Or alert that exec additional search

New Member


Is it possible to implement something like this?
I have 300+ devices that send logs to one index. I want to check if there are no logs from the device for more than one minute then execute an alert. When the device resumed logs then also a warning. And immediately after the warning update the csv file.

My search now looks like this:

| tstats latest(_time) as lastSeen where index IN("my_devs") earliest=-2m latest=now by host
| lookup devs_hosts_names.csv host OUTPUT dev_name
| eval dev_name = if(isnotnull(dev_name),dev_name,"unknow host")
| eval status = if((now() - lastSeen<=60),"up","down")
| eval status = if(isnotnull(lastSeen),status,"unknow")
| search NOT
[| inputlookup devs_status.csv
| fields host dev_name status]
| convert ctime(*Seen)
| table host dev_name status lastSeen

| - At this time of search I would like to trigger an alert for each dev_name and then rewrite (update)  devs_status.csv 

But I don't find how it can be realized, I ask for your help. I'm new to splunk and don't understand how much this kind of request is normal for splunk?



Labels (2)
0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...