How to compare 2 searches and alert on the differe...

mbowman6241 · ‎01-20-2016

I am trying to alert if one of my servers is left out of load balance for a specific amount of time.

My current search is:

index=netcool $server-ip$ Node | rex field=_raw "Node\s\/Common\/(?<host>.*)\s+address\s(?<ipaddress>[\d\.]+)\ssession status\s(?<status>.*)\." | where status!=" monitor status unchecked" AND status!=" monitor status forced down" | table _time, host, status | sort  -_time | dedup snehost

This gives me a table of all my servers and a status of either "enabled" or "forced disabled" which is perfect. I want to be able to run this search every fifteen minutes and have it generate an alert if the server status is "forced disabled" for an extended period of time.

My original thoughts are, this search runs every 15min and the latest search compares the previous search. Is this possible?

MuS · ‎01-20-2016

Hi mbowman6241,

run this search every 15min as planed, but have the results written to a lookup file by using the outputlookup command in the search http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Outputlookup
Create a second search or Alert which facilitates the lookup using inputlookup http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Inputlookup to get the last status and compare it with the current, if they differ create an alert.

Hope this makes sense ...

cheers, MuS

mbowman6241 · ‎01-20-2016

That makes complete sense. Thank you. Let me see if I can get this to work now.

How to compare 2 searches and alert on the differences?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?