Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Problem with lookup for disabling alerts during maintenance

jmoeller
New Member
‎08-08-2018 12:56 PM

Sorry for the simple question, I am new to the Splunk world....

I have a CSV loaded (StandardMaintenance.csv) which has two rows

UnderMaintenance
NO

I want to add a check to each alert so that they will not fire during maintenance.

Here is my code...

....query goes here...
| lookup StandardMaintenance.csv UnderMaintenance
| search NOT UnderMaintenance="NO"

What am I doing wrong or how better might I accomplish this?

Thanks.

0 Karma
Reply

jmoeller
New Member
‎08-10-2018 06:02 PM

Thanks for the response. The CVS file only consists of the one field. I want maintenance to be either on or off. If off, run query, if on, don't run query. I am not marking individual hosts, it is all or nothing.

Thanks

0 Karma
Reply

fferozbasha
Explorer
‎08-08-2018 07:15 PM
  1. The Inputlookup command supports where condition which means the better way to filter down the search will be

| inputlookup StandardMaintenance WHERE UnderMaintenance="Yes"

  1. What columns do you expect out of the lookup and added in the filter in base search? Ex - If it is to find the list of Hosts that are not under maintenance and consider them for alerting, sample query can be -

index=os sourcetype=vmstat NOT [ | inputlookup StandardMaintenance WHERE UnderMaintenance="Yes" | fields host | table host ]
| fields memUsedPct, host
| stats avg(memUsedPct) as avgMemUsed by host
| where avgMemUsed > 75
| table host

0 Karma
Reply

jmoeller
New Member
‎08-09-2018 06:13 AM

Thanks. I have no additional information in the StandardMaintenance table. I simply want to use the table as a check... If UnderMaintainance is NO, execute query (thus generate an alert).

To use your example, I want to run the index=os sourcetype=vmstat query only when UnderMaintainence is "NO"

I know I should be able to deduce it from what you provided, but I am still struggling. Any additional input is appreciated.

0 Karma
Reply

nagarjuna559
Explorer
‎08-11-2018 06:47 AM

| lookup StandardMaintenance.csv UnderMaintenance
| where UnderMaintenance="NO"

fields values you use after where are the case sensitive,

0 Karma
Reply

nagarjuna559
Explorer
‎08-11-2018 06:49 AM

| lookup StandardMaintenance.csv

| where UnderMaintenance="NO"

0 Karma
Reply

fferozbasha
Explorer
‎08-10-2018 05:51 PM

The query that i have provided should do the same. It will run search a Index=os ONLY if there any hosts tagged as UnderMaintenance=Yes.

0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎08-08-2018 06:43 PM

What are you looking up against i.e. what's matching criteria in search and lookup?
Also in the above search if you want only those events which is not under maintenance , you should use

| search UnderMaintenance="NO"

Happy Splunking!
0 Karma
Reply

nvanderwalt_spl
Splunk Employee
Splunk Employee
‎08-08-2018 06:38 PM

Do you want to put all the things in downtime?
If you had only a few hosts in the lookup at any time, you could do something like this:

search string NOT [|inputlookup hosts_in_maint.csv | table  host| format]
0 Karma
Reply

jmoeller
New Member
‎08-08-2018 06:45 PM

I am sorry I wasn't clear. I want it to function as a simple on/off. If maintenance is ON, don't run the search. If maintenance is off, run it normally.

Thanks for your input.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...