Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search condition in Splunk where an alert is based on result?

ruchijain
New Member
‎06-25-2019 03:31 AM

I want to get alerts for the situations which are different from below conditions:

Server  a   B   C   D
condition   ü  ü  X   X
                    X      X    ü  ü

I want to check Splunk, for the above servers, if this condition is there then it's ok- otherwise, it will alert us via email.

PS: The above condition means either a and B is UP and C and D is down or A and B is Down and C and D is UP.
If there are any other conditions like all are UP or all are DOWN or A and C are UP or many more condition then it will alert us.

But I am not able to use Splunk to set this condition, can anyone please help me with this?

I am not sure if we can use LOOKUP table to check this one.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-25-2019 03:37 AM

Hi @ruchijain,

I'm assuming you have a table that looks as follows :
A B C D
u u X X
u u u X
u X X X
X X u u

If that's the case then something like this will return all the events you need :

YourBaseSearch ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u)

Adding NOT will return all the events that should alert you :

YourBaseSearch NOT ( ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u) )

If you want you can share a sample event so I can help you build a search that's closer to what you will be using.

Cheers,
David

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ruchijain
New Member
‎06-25-2019 04:21 AM

sample is right as below:

currently A and B is showing service status as status =running (sourcetype=service_stutus ---> where i am using service jboss status)
C and D are editorial servers and not running so status is stopped

I want to run the query when A and B are running and C and D are stopped or vice versa (A and B are stopped and C and D are running)
For rest of the status combination it should sent the alert

0 Karma
Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-25-2019 03:37 AM

Hi @ruchijain,

I'm assuming you have a table that looks as follows :
A B C D
u u X X
u u u X
u X X X
X X u u

If that's the case then something like this will return all the events you need :

YourBaseSearch ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u)

Adding NOT will return all the events that should alert you :

YourBaseSearch NOT ( ( A=u B=u C=X D=X) OR ( A=X B=X C=u D=u) )

If you want you can share a sample event so I can help you build a search that's closer to what you will be using.

Cheers,
David

0 Karma
Reply
Solved! Jump to solution

ruchijain
New Member
‎06-25-2019 03:54 AM

sample is right as below:

currently A and B is showing service status as status =running (sourcetype=service_stutus ---> where i am using service jboss status)
C and D are editorial servers and not running so status is stopped

I want to run the query when A and B are running and C and D are stopped or vice versa (A and B are stopped and C and D are running)
For rest of the status combination it should sent the alert

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...