Splunk Search

Lookup Table - only send email if the Event is NOT on the Lookup Table list

MasterOogway
Communicator

If I have a lookup table with the following information in it (see below), how do I send an email if the "event" found is NOT on the list?

For example, what if the event extracted was '%SPANTREE-SP-2-RECV_BAD_TLV'?

error,action,email
SYS-3-PORT_RX_BADCODE,TRUE,some@group.com
SYS-3-PORT_DEVICENOLINK,TRUE,some@group.com
SYS-3-PORT_BADPORT,TRUE,DEFAULT
TTY-3-AUTOCONFIG,TRUE,DEFAULT
ARC22056-4-minor,TRUE,DEFAULT
AUT21097-4-minor,TRUE,DEFAULT
C4K_EBM-4-HOSTFLAPPING,TRUE,DEFAULT
DHCPDBG-4-39,TRUE,DEFAULT
DOT11-4-TKIP_REPLAY,TRUE,some@group.com
DHCP_SNOOPING-4-AGENT_OPERATION_FAILED,TRUE,DEFAULT


props.conf:

[syslog_info]
EXTRACT-cisco_event = (?<error>\%.*-\b([0-4])\-.*?):\s
LOOKUP-foo = cisco_event_error error

transforms.conf

[cisco_event_error]
filename = syslog_alerter.csv


Currently this search finds all events found in the lookup table:

sourcetype="syslog_info" | lookup syslog_alerter.csv error
Tags (1)
1 Solution

araitz
Splunk Employee
Splunk Employee

My Windows & Linux DHCP apps use a similar technique.

Make this change to props.conf:

LOOKUP-foo = cisco_event_error error OUTPUTNEW

Then try this simple search:

sourcetype="syslog_info" error=* NOT action=*

View solution in original post

araitz
Splunk Employee
Splunk Employee

My Windows & Linux DHCP apps use a similar technique.

Make this change to props.conf:

LOOKUP-foo = cisco_event_error error OUTPUTNEW

Then try this simple search:

sourcetype="syslog_info" error=* NOT action=*

araitz
Splunk Employee
Splunk Employee

Sweet! Don't forget to vote up my answer 🙂

0 Karma

MasterOogway
Communicator

After updating per you last correction post I was able to get the results I needed: "only send email if the Event is NOT on the Lookup Table list".
Always nice to get help from the best!

0 Karma

araitz
Splunk Employee
Splunk Employee

MasterOogway - my fault, I made some typos and put 'event' where it should have said 'error'. I edited your original post as well as my answer above, please give it another try.

0 Karma

MasterOogway
Communicator

I made this change and restarted but without luck. When I run your search I get no results.
When I run this search: sourcetype=syslog_info event=* , again, I get no results, but would have expected something. Any other thoughts?

What does the empty OUTPUTNEW without any following fields defined do? I understand the "NOT action=*" removes any of the csv's "true" entries.

Thanks for your help araitz

pstein (MasterOogway)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...