Solved: Need advice on alert - If Search #1 > 1 then run S...

voninski · ‎06-23-2016

I have 2 searches. Search #1 knows if I have left the house. Search #2 – Figures out what is open in the house (ie windows doors etc). What I want to do is create a alert that runs every 10 minutes that checks to see if I have just left the house (search #1) and then if I have then it automatically runs Search #2 and sends me a text message. I am looking for the groups advice on the best way to accomplish this? I have tried to merge with append but am not getting the exact results I want. I am giving the 2 queries I am using below also for FYI.

Search #1 - index=security sourcetype="SplunkLog-7" "Rich*" OnOff=Off

Again - If count is greater count than 1 then execute search 2 -

And send alert textmessage.

Thank you!

RV

sundareshr · ‎06-23-2016

Try this

index=security [search  index=security sourcetype="SplunkLog-7" "Rich*" OnOff=Off | stats count | eval sourcetype=if(count>0, "HAI", "dontsearch" | fields sourcetype ] | transaction name=grouped_events | search currentStatusText != "" | stats first(currentStatusText) as DisplayValue by name | search DisplayValue = "[NOT READY]" |stats values(name) as name delim=" "| nomv name

View solution in original post

sundareshr · ‎06-23-2016

Try this

index=security [search  index=security sourcetype="SplunkLog-7" "Rich*" OnOff=Off | stats count | eval sourcetype=if(count>0, "HAI", "dontsearch" | fields sourcetype ] | transaction name=grouped_events | search currentStatusText != "" | stats first(currentStatusText) as DisplayValue by name | search DisplayValue = "[NOT READY]" |stats values(name) as name delim=" "| nomv name

voninski · ‎06-25-2016

This query is very close. I made the following change though and it doesnt work quite rt and actually returns nothing.

I need to do the first search over 15 minutes and the imbedded search over the lasst 30 days since the way the system works is it looks for the last time the door etc. was left in a secur/not ready position. Is there a way I can have the times be different between the two imnedded searches?

voninski · ‎06-25-2016

Playing around and built the following query

Making the search window 30 days and imnedding the time inside the search for 'my ' status is actually producing the exact results I want.

somesoni2 · ‎06-23-2016

Try like this

Updated (corrected field name notHome usage)

index=security sourcetype="SplunkLog-7" "Rich*" OnOff=Off | head 1 | eval notHome=1 | table notHome | appeendcols [search index=security sourcetype=HAI | transaction name=grouped_events | search currentStatusText != "" | stats first(currentStatusText) as DisplayValue by name | search DisplayValue = "[NOT READY]" |stats values(name) as name delim=" "| nomv name] | where notHome=1 | fields - notHome

voninski · ‎06-23-2016

Getting close. The search itself actually works. I made couple modifications since the isGone field doesnt get populated.

The issue that I am trying to address though is the search inside of the appendcols needs to be over 30 days? I have put span=30days inside of the subsearch but when i do it returns nothing. Any ideas? The main search needds to be every 10 minutes.

somesoni2 · ‎06-23-2016

I had used wrong field name in few places. Try the updated answer

voninski · ‎06-25-2016

Thank you for this answer. I have learned some new techniques from this . The query is very close and is actually another way that I can get to the same result.

pradeepkumarg · ‎06-23-2016

You should be able to do this with just one search. Search2 as your outersearch and search1 as your subsearch . Passing some kind of a flag from your subsearch to outersearch and condition based on that.

Need advice on alert - If Search #1 > 1 then run Search #2 and alert

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?