Splunk Search

I have a inputlookup which have fields like index and count need to create an alert which should trigger when count of indexes given will be exceed given count in lookup, use of sub search will also fine

bapun18
Communicator

I have a inputlookup which have fields like index and count need to create an alert which should trigger when count of indexes given will be exceed given count in lookup, use of sub search will also fine

I wrote a query to get the result but it's simple and it's giving static output I want dynamically use index field and count field.

Following are the query I used.

|inputlookup idx_myvdf.csv | table index | stats count by index | where count < 1000



|tstats c by index where index[|inputlookup idx_myvdf.csv | rename index AS actual_index] AS actual_count | table index count actual_index]
where count < actual_count

I want to modify the query so that it will give the output with actual index count mentioned over inputlookup and alert will be triggered once actual count will be greater than count value provided under count field.
alt text

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Do it like this (assuming the name of field in the lookup which has the count is countFieldInLookup, update per your case)
Updated per other question post

| tstats count as actual_count where [|inputlookup idx_myvdf.csv | table index ] by index 
| lookup  idx_myvdf.csv index OUTPUT count as threshold_count
 | where actual_count > threshold_count
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@bapun18

Can you please try this?

| tstats c  as count by index 
| append 
    [| inputlookup idx_myvdf.csv 
    | table index actual_count] 
| stats values(count) as count values(actual_count) as actual_count by index] 
| where count > actual_count

I have designed rough search. So just execute and provide your feedback.

bapun18
Communicator

Hi Jacobevans/Kamlesh,

Thanks for your quick response, still we don't have any data after executing both the searches. Please find below.

https://ibb.co/W5dtjr7
https://ibb.co/mFkZ8v1

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@bapun18

Can you please execute this search?

| tstats c  as count by index 
 | append 
     [| inputlookup idx_myvdf.csv 
     | table index actual_count] 
 | stats values(count) as count values(actual_count) as actual_count by index] 
 | where count > actual_count

As per your image( https://ibb.co/mFkZ8v1), actual_count field is not coming. Can you please confirm the values available in index OR actual_countagainst the indexes from tstats search?

0 Karma

bapun18
Communicator

alt text

We are getting following error

0 Karma

jacobpevans
Motivator

See my comment above. You can only have statistical aggregation function commands between stats and by - the index argument in @kamlesh_vaghela's comment is invalid.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

jacobpevans
Motivator

Small correction to these lines (otherwise this looks good to me also).

| stats values(count) as count values(actual_count) as actual_count by index] 
| where count > actual_count
Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

bapun18
Communicator

Hi Jacobevans/Kamlesh,

Thanks for your quick response, still we don't have any data after executing both the searches. Please find below.

https://ibb.co/W5dtjr7
https://ibb.co/mFkZ8v1

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...