Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Correlate data between 2 seperate source and Alert on conditions

amN0P
Explorer
‎09-23-2011 07:13 AM

Hello,
I want to correlate data between logs collected from 2 different sources and I want to alert when a condition is met. How can I create a search for this. Example:

Source 1 log output is: source1_ipaddress visiting_particular_url
Source 2 log output is: source2_ipaddress hostname username

I want to send email alert containing "username" from Source 2 whenever Source 1 logs the event AND source1_ipaddress=source2_ipaddress.
How can I do this? Will appreciate your response. Thanks.

Tags (1)
0 Karma
Reply

cpeteman
Contributor
‎06-28-2013 02:11 PM

This is a duplicate question. It should be removed I believe.

0 Karma
Reply

sairic81
New Member
‎04-06-2012 10:07 AM

I am also interested in doing something similar - I am particularly concerned with correlating an alert based off of 2 performance counters. For example: we would like to watch % processor time and available mbytes - should both breach certain conditions then send an alert to me.

Any help would be appreciated.

0 Karma
Reply

linu1988
Champion
‎06-28-2013 02:39 PM

Its easy, index=blah counter=% processor time| eval CPU_Usage=value|join host[search index=blah counter=% available mbytes|eval Mem_Usage=value]| table host,CPU_Usage,Mem_Usage| where Condition|eval Status=if(CPU_Usage>50 AND Mem_Usage>(any value),"Warning","Critical")

Same goes for the above question.

Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...