Re: Splunk Alert

sshanmua · ‎03-23-2021

I am trying to create a Splunk alert where the log line is delimited with comma,
I need to get the field 4 and check if the value is greater than threshold then raise an alert

I am able to search the field from corresponding file but unable to fetch the uniq filed and please help with getting the corresponding field which is delimit with comma > threshold

log: when i search for ,dat1, it get me both the lines
date,dat1,queue,0,100,0,0,0,0
date,am.dat1,queue,10000,23,34,0,0

index=index host="hostname" source="logpath" dat1

gcusello · ‎03-23-2021

Hi @sshanmua,

if you already extracted field4, it's very easy to run a search to use in an alert:

index=index host="hostname" source="logpath" dat1
| where field4>10000

where 1000 is the theshold.

If instead you didn't extracted the field4, you have to extract it using a regex:

index=index host="hostname" source="logpath" dat1
| rex "^[^,]+,[^,]+,[^,]+,(?<field4>\d+)"
| where field4>10000

regex that you can check at https://regex101.com/r/YLI5KN/1

Ciao.

Giuseppe

sshanmua · ‎03-23-2021

Sorry for asking more what is the syntax for selecting field 2 and field 5

gcusello · ‎03-23-2021

Hi @sshanmua,

you can extract all the fields or only some of them using a similar regex, this is for fields 2, 4 and 5, as you requested:

| rex "^[^,]+,(?<field2>[^,]+),[^,]+,(?<field4>\d+),(?<field5>\d+)"

Ciao.

Giuseppe

Splunk Alert

count

eval

field extraction

lookup

regex

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Splunk Alert