Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Query to alert when there are some changes made in macros

AmruthaSK
Loves-to-Learn Lots
‎06-29-2023 06:03 AM

Hi All,

We have created few macros with below definition and added the macro names in the important critical alerts.

```maintenance_window=true```

Here i want to alert whenever there are some changes made in Macro, particularly I want to alert team when the above definition is uncommented (which stop many of important alerts during maintenance). If someone forgets to comment it back.

How can I create an alert for looking at macro?

Thanks in Advance

Amrutha SK

Labels (1)
Labels
0 Karma
Reply

AmruthaSK
Loves-to-Learn Lots
‎06-30-2023 09:52 AM

Thanks @dural_yyz but I don't any results with the below query itself. is there any other way?

index=_configtracker

 

0 Karma
Reply

dural_yyz
Communicator
‎06-30-2023 10:28 AM

It was only introduced in 9.x so prior versions of Splunk would not have that index and logging available.  Previous to this we had a script which would ingest the outputs of a btool command and then compare changes in values over time.

0 Karma
Reply

AmruthaSK
Loves-to-Learn Lots
‎07-04-2023 03:31 AM

Is there any other way to try?

Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-04-2023 04:40 AM

Hi

here is one way to do it (and lot other stuff) https://conf.splunk.com/files/2019/slides/FN1315.pdf. Unfortunately it needs that you have set up it before hand. Another way is use https://splunkbase.splunk.com/app/4355, but also it needs to set up before hand.

r. Ismo

Reply

dural_yyz
Communicator
‎06-29-2023 06:14 AM

After Splunk 9.x they introduced "_configtracker" index to log changes to any files.

index=_configtracker data.path=*/macro.conf

Throw in some extras afterward to make it how you want. 

0 Karma
Reply

AmruthaSK
Loves-to-Learn Lots
‎07-04-2023 04:24 AM

As the above did not work, is there way I can call macro and count number of strings, and any change in string which should throw an alert.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...