Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

See the results of Splunk alerts in a search.

Aresndiz
Loves-to-Learn Lots
yesterday

I'm trying to optimize the alerts since I'm having issues. Where I work, it's somewhat slow to solve the problem (1 to 3 days) when the alert is triggered. This causes the alert to constantly trigger in the given time. I can't use Throttle since my alerts do not depend on a single host or event. For example:

index=os_pci_windowsatom host IN (HostP1 HostP2 HostP3 HostP4) source=cnt_mx_pci_sql_*_status_db 


|dedup 1 host state_desc
| streamstats  values(state_desc) as State by host

| eval Estado=case(
State!="ONLINE", "Critico",
State="ONLINE", "Safe"
)
| table Estado host  State _time
| where Estado="Critico"

When the status of a Host changes to critical, it triggers the alert. For this reason, I cannot use Throttle because in the time span that this alert is silenced, one of the hosts may trigger, omitting the entire alert completely.

My idea is to create logic based on the results of the last triggered alert and compare them with the current alert where if the host and status are the same, it remains unchanged. However, if the host and status are different from the previous one triggered, it should be triggered. splcapver.pngCaptura de pantalla 2024-12-20 115513.pngI thought about using the data where it's stored, but I don't know how to search for this information, does anyone have an idea? e

Any comment is greatly appreciated.

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
3 hours ago
Have you look this answer https://community.splunk.com/t5/Alerting/Throttle-alerts-based-on-field-value/m-p/172536 if it fulfills your needs?
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
yesterday

Let me first try to understand the problem: You want to find servers whose end state is offline, but whose immediate previous reported state is not offline, i.e., those whose state newly becomes offline.  Is this correct?  In other words, given these mock events

_timehoststate_desc
2024-12-20 18:00host1not online
2024-12-20 16:00host2not online
2024-12-20 14:00host3ONLINE
2024-12-20 12:00host4not online
2024-12-20 10:00host0not online
2024-12-20 08:00host1ONLINE
2024-12-20 06:00host2not online
2024-12-20 04:00host3not online
2024-12-20 02:00host4ONLINE
2024-12-20 00:00host0not online
2024-12-19 22:00host1not online
2024-12-19 20:00host2ONLINE
2024-12-19 18:00host3not online
2024-12-19 16:00host4not online
2024-12-19 14:00host0ONLINE
2024-12-19 12:00host1not online
2024-12-19 10:00host2not online
2024-12-19 08:00host3ONLINE
2024-12-19 06:00host4not online
2024-12-19 04:00host0not online
2024-12-19 02:00host1ONLINE
2024-12-19 00:00host2not online
2024-12-18 22:00host3not online
2024-12-18 20:00host4ONLINE
2024-12-18 18:00host0not online
2024-12-18 16:00host1not online
2024-12-18 14:00host2ONLINE
2024-12-18 12:00host3not online
2024-12-18 10:00host4not online
2024-12-18 08:00host0ONLINE
2024-12-18 06:00host1not online
2024-12-18 04:00host2not online
2024-12-18 02:00host3ONLINE
2024-12-18 00:00host4not online
2024-12-17 22:00host0not online

You want alert on host1 and host4 only.

To do this with streamstats, you will need to sort events this way and that.  I usually consider them costs. (And I am quite fuzzy in streamstats:-)  So, I consider this one of few good uses of transaction.  Something like

 

index=os_pci_windowsatom host IN (HostP1 HostP2 HostP3 HostP4) source=cnt_mx_pci_sql_*_status_db
| transaction host endswith=state_desc=ONLINE keepevicted=true
| search eventcount = 1 state_desc != ONLINE

 

Here is an emulation of the mock data for you to play with and compare with real data.

 

| makeresults count=35
| streamstats count as state_desc
| eval _time = relative_time(_time - state_desc * 7200, "-0h@h")
| eval host = "host" . state_desc % 5, state_desc = if(state_desc % 3 > 0, "not online", "ONLINE")
``` the above emulates
index=os_pci_windowsatom host IN (HostP1 HostP2 HostP3 HostP4) source=cnt_mx_pci_sql_*_status_db 
```

 

Output from the search is

_timeclosed_txndurationeventcountfield_match_sumhostlinecountstate_desc
2024-12-20 18:000011host11not online
2024-12-20 12:000011host41not online

The rest of your search is simply manipulation of display string.

Tags (1)
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...