- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Alerts Against A CSV
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alerts Against A CSV
I have a macro saved which takes 4 parameters and is of the form:
source="MySource" $EventValueFilter$ earliest=$Earliest$ | head _time limit=$Limit$ | stats avg(Timing) as Timing | where Timing >= $Duration$
Which essentially needs to filter events based on a certain attribute for a specified duration, optionally select a sub section of these, calculate the average Timing for that even (Timing is a defined integer value for the events filtered) and return a value when the average is above a certain threshold. Therefore I could call the following:
mymacro(LOGINSTEP, -4h, 0, 100)
which I would want to get the average time for events with LOGINSTEP in their text for the past 4 hrs and detect if this value was >= 100ms. What I would like to do is define a CSV file with a list of potential checks in a similar vein and have 1 alert which iterates over this file and reports on any relevant occurences e.g.
EventValueFilter,Earliest,Limit,Duration
LOGINSTEP,-1h,0,100
HOMEPAGE,-1h,5,50
SEARCHRESULTS,-5m,500
I have the lookup file/definition set up and the above macro so I was looking how I can use these two within a Search to alert me?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Untested, but 'inputcsv' and 'map' should be what you need
Lets assume your CSV is called alertcheck.csv and the significant field returned by mymacro is 'count'
The search would be along the lines of :
| inputcsv alertcheck.csv
| map search="
`mymacro(\"$EventValueFilter$\", \"$Earliest$\", \"$Limit$\", \"$Duration$\")`
| eval EventValueFilter=\"$EventValueFilter$\"
| eval Earliest=\"$Earliest$\"
| eval Limit=\"$Limit$\"
| eval Duration=\"$Duration$\"
" | table EventValueFilter Earliest Limit Duration count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm. Apologies for leading you up the garden path.
This might be a bug.
this has been reported before. macros dont seem to expand in 'map'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I put those in on my query, and another $ at the end of Duration in the parameter list, still can't understand why I get the message when I run the script, but executing the generated query displays the results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oops - need backticks around the macro - updated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for this, I've tried to get it working but something strange happening - when I run this:
| inputcsv Example.csv
| map search="mymacro($EventValueFilter$, $Earliest$, $Limit$, $Duration$)
| eval EventValueFilter=$EventValueFilter$
| eval Earliest=\"$Earliest$\"
| eval Limit=$Limit$
| eval Duration=$Duration$ "
I get the following message:
Unable to run query 'mymacro(LOGINSTEP, -1h, 0, 800) | eval EventValueFilter=LOGINSTEP | eval Earliest="-1h" | eval Limit=0 | eval Duration=800'.
However if I run the generated query above directly in a search then I get the results!!
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
