Splunk Search

Search based on a previous conditions. Or alert that exec additional search

Kim
New Member

Hello! 

Is it possible to implement something like this?
I have 300+ devices that send logs to one index. I want to check if there are no logs from the device for more than one minute then execute an alert. When the device resumed logs then also a warning. And immediately after the warning update the csv file.

My search now looks like this:

| tstats latest(_time) as lastSeen where index IN("my_devs") earliest=-2m latest=now by host
| lookup devs_hosts_names.csv host OUTPUT dev_name
| eval dev_name = if(isnotnull(dev_name),dev_name,"unknow host")
| eval status = if((now() - lastSeen<=60),"up","down")
| eval status = if(isnotnull(lastSeen),status,"unknow")
| search NOT
[| inputlookup devs_status.csv
| fields host dev_name status]
| convert ctime(*Seen)
| table host dev_name status lastSeen

| - At this time of search I would like to trigger an alert for each dev_name and then rewrite (update)  devs_status.csv 

But I don't find how it can be realized, I ask for your help. I'm new to splunk and don't understand how much this kind of request is normal for splunk?

Thanks.

 

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...