I have an alert that I want to run on 100 URLs. I don't want to make 100 alerts. Can I use 1 alert and have it dynamically populate the URL and send an individual email for each URL if a change happens?
Background: I want run an accessibility check on a website every few hours and send the logs to Splunk. I get an Alert when the score changes.
This is a simplified version of my Alert search that works great for 1 URL:
host="accessibility-scanner.foo.com" source="/var/log/foo/foo.log" "https://someurl.com"
| reverse
| autoregress current_a11y_score AS old_a11y_score p=1
| eval a11y_changed = if(current_a11y_score!=old_a11y_score,"True","False")
| sort _time
| table _time myRequestedUrl current_a11y_score old_a11y_score a11y_changed
Trigger condition (doesn't quite work but this is the gist of it):
search a11y_changed = True
Trigger action:
Send an email with a bunch of info.
I know that, on a Dashboard, you can populate a form field dynamically with a token based on a search like so:
host="accessibility-scanner.foo.com" source="/var/log/lighthouse/lighthouse.log" myRequestedUrl
Is something like this possible with an Alert? Got any better ideas on how to accomplish this goal of using 1 Alert for multiple urls?
Thanks in advance. First time poster.
Thank you all for your advice.
In the end the answer was so much easier than expected. No need for lookups. Just leaving out the URL brought up all the events. Sort them alphabetically and by time. dedup to the latest two to get the last score for autoregress to look at, then dedup again at the end to remove second event for the same requestedUrl (which is not accurate because it was copied from the previous line which is not the same URL). That leaves one event row with all the correct values. Then as @nagarjuna280 said, use "each result" option in the Alert. That runs it on every row. Easy peasy and I don't need to maintain a lookup file or definition.
host="accessibility-scanner.foo.com" source="/var/log/foo/foo.log" myRequestedUrl=*
| sort requestedUrl, _time
| dedup 2 myRequestedUrl
| reverse
| autoregress current_a11y_score AS old_a11y_score p=1
| eval a11y_changed = if(current_a11y_score!=old_a11y_score,"True","False")
| sort _time
| dedup requestedUrl
| reverse
| table _time myRequestedUrl current_a11y_score old_a11y_score a11y_changed
This answer works. If you have any hints on how to make the query more efficient, please let me know.
In this case, it is common to use the LOOKUP file.
If only to use as a condition
host="accessibility-scanner・・・" source="/var/log/・・・" [ |inputlookup XXX.csv|rename your_url as query]|・・・
If you want to know which keyword matched
If the number of URLs is about 10
|inputlookup XXX.csv|rename your_url as myRequestedUrl
|map search="search host=\"accessibility-scanner・・・" source=\"/var/log/・・・\" \"$myRequestedUrl$\"|・・・"
If the number of URLs is large, the efficiency gets worse with MAP and complicated SPL is needed.
I must not be doing something right. When I try our new search:
host="accessibility-scanner.foo.com" source="/var/log/foo/foo.log" myRequestedUrl
| inputlookup https://someurl.com/files/tiered-sites.csv|rename myRequestedUrl as query
| reverse
| autoregress current_a11y_score AS old_a11y_score p=1
| eval a11y_changed = if(current_a11y_score!=old_a11y_score,"True","False")
| sort _time
| table _time myRequestedUrl current_a11y_score old_a11y_score a11y_changed
I get: "Error in 'inputlookup' command: This command must be the first command of a search." Did I do something wrong?
If I flip it to have inputlookup first I get "Search Factory: Unknown search command 'host'."
Also, maybe related. Do I need a real CSV file or can I pipe it in by something like this?:
host="accessibility-scanner.foo.com" source="/var/log/foo/foo.log" myRequestedUrl
| dedup requestedUrl
| outputcsv
The sample above me uses ”subsearch”.
【subsearch】
special field:query
index=* [inputlookup xxx.csv | fields col_a]
->(col_a=1) OR (col_a=2) OR (col_a=3) ・・・・
index=* [inputlookup xxx.csv | rename col_a as query | fields query]
->(1) OR (2) OR (3) ・・・・
adding to this, if you want email alert for each url result, select action on "each result" in email settings