Alerting

consolidate the alert

logloganathan
Motivator

index=xyz host=a12fr* sourcetype = alert "A failed" OR "A success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")

index=xyz host=a12fr* sourcetype = alert "B failed" OR "B success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")

index=xyz host=a13fr* sourcetype = alert "B failed" OR "B success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")

index=xyz host=a13fr* sourcetype = alert "A failed" OR "A success"
| head 1
| eval my_time=_time, current=Now()
| eval diff=current-my_time
| where diff>=100 AND like(_raw, "%failed%")

how to consolidate these alert to single alert?

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index=xyz (host=a12fr* OR host=a13fr*) AND sourcetype = alert AND (("A failed" OR "A success") OR ("B failed" OR "B success"))
| eval which = case(searchmatch("\"A failed\" OR \"A success\""), "A", searchmatch("\"B failed\" OR \"B success\""), "B", true(), "ERROR")
| dedup host which
| eval diff=_time - now()
| where diff>=100 AND like(_raw, "%failed%")

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps I'm missing something, but have you tried the obvious?

index=xyz (host=a12fr* OR host=a13fr*) sourcetype = alert (("A failed" OR "A success") OR ("B failed" OR "B success"))
| eval my_time=_time, current=Now() 
| eval diff=current-my_time 
| where diff>=100 AND like(_raw, "%failed%")

It can be refined further to this:

index=xyz (host=a12fr* OR host=a13fr*) sourcetype = alert ("A failed" OR "B failed") latest=-100s
---
If this reply helps you, Karma would be appreciated.
0 Karma

logloganathan
Motivator

if get both failure and success then i not want to display

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Then @woodcock has your answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

woodcock
Esteemed Legend

Like this:

index=xyz (host=a12fr* OR host=a13fr*) AND sourcetype = alert AND (("A failed" OR "A success") OR ("B failed" OR "B success"))
| eval which = case(searchmatch("\"A failed\" OR \"A success\""), "A", searchmatch("\"B failed\" OR \"B success\""), "B", true(), "ERROR")
| dedup host which
| eval diff=_time - now()
| where diff>=100 AND like(_raw, "%failed%")
0 Karma

logloganathan
Motivator

i am getting these error

Error in 'eval' command: Typechecking failed. 'OR' only takes boolean arguments.

0 Karma

woodcock
Esteemed Legend

I edited my answer and fixed that error.

0 Karma

logloganathan
Motivator

actually the requirement
if i get failure event then success event within 5 minutes..it should not be noted
if i get only failure event and no success event for last 5 minutes..it should be noted
if i get only success..it should not be noted
Could you please help me...

0 Karma

woodcock
Esteemed Legend

I can help but let's move this to another new question and close out this one. Call me out in the new question and I will take a look at it.

0 Karma

logloganathan
Motivator

Sure woodcock

0 Karma

logloganathan
Motivator

@woodcock Could you please help

0 Karma

lakshman239
SplunkTrust
SplunkTrust

I think you are looking for success or failure, probably evenstats and streamstats could help. From line 3 in woodcock's response, try to change to eventstats and keep 5mins window and you can then do eventstats values(which) by host.

Pls look at https://www.splunk.com/blog/2014/04/01/search-command-stats-eventstats-and-streamstats-2.html and change as per your need.

0 Karma

gowtham495
Path Finder

Is success/failed is captured in any field name?

0 Karma

logloganathan
Motivator

no its not field name

0 Karma

lakshman239
SplunkTrust
SplunkTrust

You could do couple of things?
- assuming your raw event is similar, create a field to extract status - success /failed
- create eventtypes for each pattern . "A failed" OR "A success" , "B failed" OR "B success" etc..
- and possibly a macro to define hosts, say 'host A OR hostB OR host C etc.. to make search simpler
- then index=xyz (eventtype=A OR eventtype=B) | head .... your search...
- where possible avoid like(_raw, "%failed%") and bring that to your base search (before first pipe).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...