Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Query to alert when there are some changes made in macros

AmruthaSK
Loves-to-Learn Lots
‎06-29-2023 06:03 AM

Hi All,

We have created few macros with below definition and added the macro names in the important critical alerts.

```maintenance_window=true```

Here i want to alert whenever there are some changes made in Macro, particularly I want to alert team when the above definition is uncommented (which stop many of important alerts during maintenance). If someone forgets to comment it back.

How can I create an alert for looking at macro?

Thanks in Advance

Amrutha SK

Labels (1)
Labels
0 Karma
Reply

AmruthaSK
Loves-to-Learn Lots
‎06-30-2023 09:52 AM

Thanks @dural_yyz but I don't any results with the below query itself. is there any other way?

index=_configtracker

 

0 Karma
Reply

dural_yyz
Builder
‎06-30-2023 10:28 AM

It was only introduced in 9.x so prior versions of Splunk would not have that index and logging available.  Previous to this we had a script which would ingest the outputs of a btool command and then compare changes in values over time.

0 Karma
Reply

AmruthaSK
Loves-to-Learn Lots
‎07-04-2023 03:31 AM

Is there any other way to try?

Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-04-2023 04:40 AM

Hi

here is one way to do it (and lot other stuff) https://conf.splunk.com/files/2019/slides/FN1315.pdf. Unfortunately it needs that you have set up it before hand. Another way is use https://splunkbase.splunk.com/app/4355, but also it needs to set up before hand.

r. Ismo

Reply

dural_yyz
Builder
‎06-29-2023 06:14 AM

After Splunk 9.x they introduced "_configtracker" index to log changes to any files.

index=_configtracker data.path=*/macro.conf

Throw in some extras afterward to make it how you want. 

0 Karma
Reply

AmruthaSK
Loves-to-Learn Lots
‎07-04-2023 04:24 AM

As the above did not work, is there way I can call macro and count number of strings, and any change in string which should throw an alert.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...