Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write query for creating alert using lookup

Arpmjdr
Explorer
‎09-04-2019 06:49 AM

Hi Splunkers,

I have the events getting ingested as below:

timestamp patch_version

hostname

Now,I want to create one lookup csv named 'PatchDate' which contains columns with values

Host,MaxAge
default,30

Now,I want to implement two logic:

1.For each event received generate the MAXAGE value to be used.

            IF  <hostname> == Host ]
            THEN
                Use the  MaxAge value.
            ELSE
                Use the MaxAge value for ( Host == “default” )
            END-IF
  1. Calculate the DAYSSINCECHANGE for the   Generate current TimeStamp  => (need to write a rex command as field is not extracted)                                                                     
    Calculate Difference between and for event  => DIFFERENCE                  IF DIFFERENCE > 30 THEN It will throw alert.

Kindly help me to build the query.
TIA

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-05-2019 08:20 AM

Something like this

Your search that returns a record with these fields 
.... do whatever you need to calculate the timestamp here ... 
| table  _time patch_version hostname
| lookup PatchDate.csv Host as hostname OUTPUT MaxAge
| eval MaxAge=concatenate(MaxAge,30)
| eval DaysSinceChange=round((now()-_time)/86400,0) 
| where DaysSinceChange >= MaxAge

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-05-2019 08:20 AM

Something like this

Your search that returns a record with these fields 
.... do whatever you need to calculate the timestamp here ... 
| table  _time patch_version hostname
| lookup PatchDate.csv Host as hostname OUTPUT MaxAge
| eval MaxAge=concatenate(MaxAge,30)
| eval DaysSinceChange=round((now()-_time)/86400,0) 
| where DaysSinceChange >= MaxAge
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-05-2019 10:03 AM

By concatenate did you mean coalesce?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Arpmjdr
Explorer
‎09-05-2019 10:09 PM

modified a little but it has served my purpose. btw, I had to use "coalesce". Thanks to both of you @richgalloway and @DalJeanis 🙂

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-06-2019 05:04 AM

If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-04-2019 12:19 PM

This sounds a lot like a Fiverr task.
We need some example data to determine how to extract the current TimeStamp field.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...