Splunk Search

Time-based Lookup Configuration not quite working?

BlueSocket
Communicator

Dear All,

I have a set of error events that are generated when an issue happens in our environment. I run an alert every day to see if there are any events over the previous day and send a table of the results to an administrator.

The problem now is that the administrator has got annoyed with Splunk sending similar events every day and wants to set an event to be "Acknowledged" for a certain amount of time (7 days). If the error occurs again in those 7 days, we do not want to get an email, but we do want to get an email if a different issue occurs.

So... What I have done is to set up a [status] lookup with the following field definition:

"host","Error_Message","Error_Status","Time_Acknowledged"

The idea is that an administrator then uses a Workflow action to output the field data into the lookup, such as:

server1,"I am broken","Acknowledged",07/31/2017 12:04:34

The Workflow action works and I can see the lookup table being added to. So I see the following in the status.csv file:

"host","Error_Message","Error_Status","Time_Acknowledged"
server1,"I am broken","Acknowledged",05/31/2017 12:04:34

The definition of the lookup in the props.conf is:

[status]
default_match = Unknown
filename = status.csv
max_matches = 1
min_matches = 1
time_field = Time_Acknowledged
time_format = %m/%d/%y %H:%M:%S
max_offset_secs = 604800
min_offset_secs = 0

And in the props.conf I put:

[snmp]
LOOKUP-status = status.csv Error_Message AS SNMP_Trap_Message host AS host OUTPUTNEW Error_Status AS Error_Status Time_Acknowledged AS Time_Acknowledged

However, when I run the search WITHIN 7 days of 05/31/2017 12:04:34:

index=main sourcetype=snmp earliest=-1d | table _time, host, Error_Message, Error_Status, Time_Acknowledged

I would expect to see:

06/01/2017 09:23:45    server1    I am broken    Acknowledged    05/31/2017 12:04:34
06/01/2017 10:11:34    server2    I am not well   Unknown             Unknown

However, I see the following:

06/01/2017 09:23:45    server1    I am broken    Unknown             Unknown
06/01/2017 10:11:34    server2    I am not well   Unknown             Unknown

It looks like the Time-based Lookup is not functioning at all.

Does anyone know what I am doing wrong, please?

Thanks in advance,
BlueSocket

0 Karma
1 Solution

BlueSocket
Communicator

Hi,

This is probably bad form, but I am providing an answer to my own question.

I realised my mistake when I re-read the configuration. Most of the stuff was working correctly, but the time_format configuration was wrong:

time_format = %m/%d/%y %H:%M:%S

%y means "2 digit date" and I was providing a "4-digit date". When I changed this to the following, it started to work:

time_format = %m/%d/%Y %H:%M:%S

I hope that this helps someone else!

View solution in original post

BlueSocket
Communicator

Hi,

This is probably bad form, but I am providing an answer to my own question.

I realised my mistake when I re-read the configuration. Most of the stuff was working correctly, but the time_format configuration was wrong:

time_format = %m/%d/%y %H:%M:%S

%y means "2 digit date" and I was providing a "4-digit date". When I changed this to the following, it started to work:

time_format = %m/%d/%Y %H:%M:%S

I hope that this helps someone else!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...