Search based on a previous conditions. Or alert th...

Kim · ‎12-03-2023

Hello!

Is it possible to implement something like this?
I have 300+ devices that send logs to one index. I want to check if there are no logs from the device for more than one minute then execute an alert. When the device resumed logs then also a warning. And immediately after the warning update the csv file.

My search now looks like this:

| tstats latest(_time) as lastSeen where index IN("my_devs") earliest=-2m latest=now by host
| lookup devs_hosts_names.csv host OUTPUT dev_name
| eval dev_name = if(isnotnull(dev_name),dev_name,"unknow host")
| eval status = if((now() - lastSeen<=60),"up","down")
| eval status = if(isnotnull(lastSeen),status,"unknow")
| search NOT
[| inputlookup devs_status.csv
| fields host dev_name status]
| convert ctime(*Seen)
| table host dev_name status lastSeen

| - At this time of search I would like to trigger an alert for each dev_name and then rewrite (update) devs_status.csv

But I don't find how it can be realized, I ask for your help. I'm new to splunk and don't understand how much this kind of request is normal for splunk?

Thanks.

Search based on a previous conditions. Or alert that exec additional search

lookup

tstats

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?