Hi,
I will have a csv file like this:
cachename, value
max,1000
min, 100
I want to do search | fileds cachename, value | and compare the value to the value in csv file and send alert if it is =1000 or <1000 like that.
is this possible in Splunk? if possible can you please let me know the best way to do it.
Thank You
In other words, you want to define the alert triggering condition based on minimum and maximum values for a field from a csv file?
Here's a mildly hacked approach: I've defined a test.csv with two columns, min and max, with values 300 and 600. Do the same (in $SPLUNK_HOME/etc/system/lookups) and compare these two queries:
| gentimes start=-1 increment=5m | eval foo = starttime % 1200
| gentimes start=-1 increment=5m | eval foo = starttime % 1200 | search [inputlookup test.csv | return min max | eval search = replace(search, "min=", "foo>=") | eval search = replace(search, "max=", "foo<=")]
The first is the unfiltered one, with foo values from 0 to 900. The second filters the previous result based on the limits defined in the CSV file and only returns those events with 300<=foo<=600.
I'm not certain whether the trigger-conditions-in-CSV-file approach is the best for your problem though, what do you want to achieve?
gentimes generates time range results, I use it to simulate actual events.
I will try this approach but why to gentimes? can I just use inputlookup part?